Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
SUMMARY NOTES
UNIT 3:
NETWORK SECURITY
3.1 Security Components
Firewall Overview
• Definition: Device or service that sits between the client and the system trying to be
accessed
• Use: Distributes incoming network traffic to a server farm
• Makes decisions based on pre-defined criteria and sends communication between
client and system to a server or a system in server farm or pool
o Used to distribute the load evenly on a system farm or pool
o Used to maintain back-up system in case primary system goes down
o Provides fault tolerance – if a server goes down, other services can handle the
traffic
• Load balancers increase the availability of an asset
• Sends incoming traffic to the chosen server farmer pool based on criteria for both
system traffic and the load balancer’s configuration for fault tolerance
• To choose the right solution, you must clearly define the parameters for your specific
needs
• Basic Network
o Routes traffic based on source and destination addresses
o Does not balance traffic; only routes traffic based upon addresses
o Operates at Layer 3: Network Layer
o Example: DNS Round-Robin
• Transport
o Operates at Layer 4: Transport Layer on TCP/UDP
o Manages and routes traffic to systems based upon traffic usage
• Application
o Operates at Layer 7: Application Layer
o Built to handle large volumes of traffic with multiple client connections on a
large scale
o HTTP load balancers are capable of handling millions of loads per second
IDS/IPS Overview
• Host-based
2
o HIDS
o HIPS
o Individual host reads local files and logs of each host
• Network-based
o NIDS
o NIPS
o Resides on firewalls operating at different layers of the OSI model
• IDS/IPS Operation Methods
o Signature-based
▪ Compares to pre-defined set/if not defined, not detected
o Anomaly-based
▪ Learns what is normal in the system so it can detect anything
abnormal
• Proxy server changes the source address of the traffic before sending it to the target
• When the information returns from the target, the proxy changes the address back to
the original source (now destination) address
• Anonymous
o Client→Proxy Server→Internet
o Purpose is to hide client identity
• Reverse
o Internet→Proxy Server→Service
o Purpose is to hide the service being accessed
• Transparent
o Does not hide internal address
o Purpose is to cache information and reduce bandwidth
• SSL
o Purpose is to protect data as it moves from point A to B
• FTP (File Transfer Protocol)
o Uses proxy server to transfer files between client and server
• HTTP (Web traffic proxy)
o Most common type of proxy
o HTTPS includes SSL and HTTP
• SOCKS (Secure Sockets)
o Works on TCP/UDP, multiple ports, and more than one layer of the OSI model
o Custom built for the application being protected
• More security/control needed means more money, time, and power used
3
UTM and SIEM Devices
URL/Website Filtering
Protocol Analyzer
• Data at rest
o Data that is in a static location
o Examples include records in filing cabinet or credit card number in database
o Data present for use, but not in current use
• Data in use
o Data actively used by a person or system process
o Examples include updating HR record and credit card transaction processing
• Data in transit
o Data being moved from the at-rest position to the at-use position
▪ Examples: HR record in filing cabinet moved to user desk or credit card
info being read from database and processed by e-commerce system
▪ Think of money in an armored vehicle being transferred to an ATM
Types of Assets
4
o Hardware, software, systems, facilities or intellectual property like cloud-
based systems
o People are the most valuable asset
5
▪ Anything device on the network can communicate with other devices
▪ Segmentation done on switches and routers
▪ Switch with only ports that are tagged to the VLAN are on the network
▪ Router sends traffic out and brings it back to subnetwork under VLAN
▪ Router is also used for different VLANs to communicate between ports
▪ Requires careful and appropriate programming
▪ Zones of trust can be different VLANs
• Additional considerations for segmentation
o Incurs administrative overhead: each network segmentation must be
designed, validated and tested
o Incurs additional business costs
o Very dangerous: any mistake can shut down entire network
o Availability: most important concern is the system being up
Secure Intranet
Intranet Security
6
IPSec
IPSec Overview
IPSec Configuration
• Two-phase Communication
o Phase 1 - secures the tunnel with encryption
o Phase 2 – passes traffic back and forth
• Modes: Tunnel and Transport
o Transport Mode
▪ User IP is never the same
▪ Uses digital certificates for encryption
▪ Preferable for allowing remote users to access an organization’s
resources
o Tunnel Mode
▪ Corporation A to corporation B
▪ Uses symmetric encryption (shared secret)
▪ Preferable for allowing two entities to access each other’s resources
securely
• Three Parts of IPSec
o Security Association
o Authentication Header
o Encapsulating Security Payload (ESP)
IPSec Protocols
7
o Provides confidentiality through encryption
• Security Association (SA) is how configuration of the communication tunnel is
established and functions
o SA is critical to ensuring IPSec goals are met
o ESP encryption algorithm needs to be specified
o Use latest security standards to meet previous goals
o Transport or tunnel mode
▪ Tunnel mode settings must match exactly including shared secret key
▪ Transport mode settings that roaming VPN must support for
connection to be established
o SA includes
▪ IKE exchange type
▪ Encryption algorithm
▪ Hash algorithm
▪ Security lifetime
Transport mode
Tunnel mode
8
o Both parties must be stationary
• Tunnel mode advantages:
o Allows individual SA parameters to be defined per tunnel
IPSec in Operations
• Company B Requirement:
o VPN established between A and B starts out and remains secure
• Information required to set up VPN in tunnel mode
o IKE Phase 1 Section which contains SA information
▪ Company A & B firewall IP addresses
▪ Shared secret symmetric key
▪ IKE encryption algorithm
▪ IKE hashing algorithm
▪ Diffie-Hellman key exchange group
▪ IKE main/aggressive mode
▪ IKE lifetime
o IPSec Phase 2 which contains AH and ESP information
▪ Company A & B network or host address
▪ ESP encryption algorithm
▪ ESP hashing algorithm
▪ IPSec tunnel lifetime
▪ Perfect forward secrecy group (or none)
9
3.4 VLAN / VPN
Virtual Networks
VLAN Security
• More granular access control can be employed to protect assets and contain less
secure assets
• Must be deployed carefully
• Can be employed in two separate manners
o Without routing
▪ Only devices on VLAN can communicate with each other
o With routing
▪ Has access control list (ACL) to provide granular access control
• VLANs should be hardened to prevent attacks
o Move all network traffic off VLAN 1 and change defaults
o Disable unused ports or assign them to black hole VLAN
o Control which ports are allowed to be used as trunk ports
o Assign specific MAC addresses to specific ports
o Block any traffic without MAC filtering
▪ Assists with MAC flood attacks
o Follow device manufacturer recommendations to harden the system for both
standard and VLAN usage
o Put management traffic on separate VLAN with routing to control who and
what systems can manage the device
• Testing is mandatory to ensure the availability of critical assets in an organization
Network Security
10
▪ Remove console cables shipped with the devices
Personal VPN
• Provider will give configuration instructions to set up personal VPN for individual
devices
o Home router should connect via VPN so entire home network is encrypted
• Potential add-ons for each device
o Install specific software
o Provide digital certificate
o Provide credentials to access
• Must learn how to toggle VPN
11
3.5 Securing Protocols
Telnet
HTTP
12
• Second most common Internet transport protocol
• Pushes e-mail around from clients or server
• Works on TCP port 25
• Servers listen on port 25 and whoever initiates picks random port to talk to port 25
SSL/TLS
Secure NTP
13
• How it works:
o Master time servers reach out to Internet atomic time clocks to stay
updated
o Every other system has to sync with the time server(s)
• Foundational protocol of computing systems
• Security concerns:
o Lack of encryption
o Lack of data transfer process integrity
• Immediate solutions available:
o NTP hierarchy, where only a fraction connect to Internet clocks
• Precautions
o Do not allow Internet devices access to internal network for NTP info
o Do not accept time sync messages from server more than 1000
seconds off
▪ If received system should reject message, log it, then raise alert
o If Kiss of death packet received, ensure message has valid origin
timestamp
▪ If client talks too much to NTP server, the NTP server gives
client slower poll time
▪ Attackers can spoof source IP address sent to client and send it
to someone else or non-existent IP address
o Only enable broadcast NTP on internal network
o Force Internet-facing servers to sync with Internet time servers
• NTP v4
o Supports encryption, but unreliable and advised against
Secure LDAP
• Open, vendor neutral, industry standard protocol for accessing and maintaining
distributed directory information services over an IP network
o Defines how to store and retrieve data from directory
o Shapes how data within directory service is presented to users
o Defines requirements for components used to create data entries within a
directory service
o Outlines how primitive elements are used to compose entries
o Communicates through a series of uniform resource locators (URLs)
• Operates on TCP port 389
• Derived from X.500 standards
• LDAP is not encrypted
14
• Can be secured in two ways:
o LDAPS:// forces SSL TLS to occur on non-standard port 636
o TLS port 443 forces SSL/TLS encryption over port 389
• Critical to encrypt ALL LDAP communications on unsecure networks
15
3.6 Architecture and Deployment Models
Cloud Capabilities
• Clouds are a collection of hardware, software, and networking that delivers a service
over the Internet
o Provide scalability, lower administrative overhead, and platform
standardization
• Four cloud service models
o Private:
▪ Owned, managed and supported by a private entity
▪ Limitation: Organization at 100% exposure for security, availability, and
maintenance
o Public
▪ Owned, managed, and supported by a government or other public
entity
▪ Limitation: Does not offer granular control and logging that meet
specific system requirements
o Hybrid:
▪ Hybrid of private and public cloud
▪ Limitation: Very complex, all parts must work together correctly
o Community
▪ Collaborative effort between organizations that share resources
• All cloud models have limitations that will affect your security program
• Infrastructure as a service (IaaS) gives option to use local or cloud based resources
when building systems
Virtualization Technology
Cloud Services
As a service (aaS)
16
• Reliant entirely on Internet connection
o Needs proper security
Private Cloud
Public Cloud
Hybrid Cloud
17
• Combination of public and private clouds
o Example: Office 365 (public) connected to on-premises Active Directory
(private)
• Mixture of where the assets are kept and maintained
• Security requirements could be harder to meet
Community Cloud
18
3.7. Cloud Security Layers
• Physical
o Physically designed to protect assets
o Lighting, door locks, security guards, alarm systems, CCTV, server rooms, fire
suppression systems etc.
o Anything that would deter, deny, detect, or delay attackers
o Private clouds provide Internet services, the organization is responsible for
providing the defense-in-depth
• Administrative
o Focus on personnel and business practices
o Consist of written documentation that governs how organization functions
▪ Policies, procedures, standards, guidelines, baselines, hiring practices,
data labeling etc.
o Directive and Deterrence type of controls
• Technical/Logical
o Consist of hardware and/or software mechanisms/technology
o Used to manage access, provide protection of resources, systems, and assets
▪ Passwords, encryption, IDS/IPS, SIEM, Firewalls, endpoint protection,
network segmentation, access control lists etc.
o Can prevent, detect, correct, deter, recover, and compensate to provide
defense in depth against attackers
19
• Software as a Service (SaaS)
o Organization is just consuming the software, no control of hardware
▪ Gmail and Office 365 are examples
o Access policies, acceptable use policies, email retention policies,
spam/phishing/filter setting adjustments etc. should be considered
o Physical security controls are almost never considered since the organization
has no access to hardware
o Physical security of devices accessing the software should be considered
Cloud Security
Scenario
20
▪ Other controls for the system is provided in the annual SOC 2 Type 2
report
• Audited and reviewed including clarification questions and
responses to and from the cloud vendor
o Optimal outcome
▪ Involved from the beginning
▪ Security controls embedded in the process
o Frequent (Subpar) Outcome
▪ Might have to work behind
▪ Period of uncertainty before implementation
21