Chapter 6: Network Components
Split Tunnel VPNs
A form of VPN where not all traffic is routed via the VPN. Allows multiple connection paths, some via the protected route, and other traffic routed via non-VPN paths.
Delay-based Filtering
Deliberate pause between the opening of a connection and the sending of a SMTP (Simple Mail Transfer Protocol) server's welcome banner.
Anonymizing Proxy
Designed to hide information about the requesting system. Usually used by users concerned with the amount of information being transferred across the Internet.
Logs/WORM (Write Once Read Many)
Logs are written once into the SIEM data-store and then read by multiple sensors. (Written once and read by many)
Port Security
Utilizing a connecting devices MAC Address, port security can assist in overall security posture. Port security can be implemented in three variants: Static learning Dynamic learning Dynamic sticky Also susceptible to MAC Spoofing Attacks but great at mitigating MAC Flood Attacks
Callback Verification
Validates the "from" address of incoming e-mail.
Aggregation and Correlation (SIEM)
Aggregation: Refers to the collecting of information in a central place. Correlation: The connection of events based on some common basis.
Load Balancing
Distributing the processing load over multiple systems. Commonly utilized for systems handling websites, high bandwidth file transfers, and Internet Chat Relay (IRC). Best implemented in stateless systems, allowing subsequent requests to be processed by the next available system. Certain systems are critical to business operations and should be an object of Availability/Fault Tolerance.
SSL (Secure Sockets Layer) Decryptors
Encrypted traffic entering and leaving an organization poses an interesting dilemma for network security monitoring devices. Decryptors can be implemented in hardware or software, and act as a means of opening SSL/TLS traffic to allow for the screening of the traffic.
Flood Guards
Implementation of Flood Guards can assist in preventing Flood Attacks from occurring. By managing traffic flow or traffic percentage, Flood Guards increase the security posture. There are a number of "flood" attacks to include: Ping Floods SYN Floods ICMP Floods (Smurf Attacks) Various Traffic Floods These are commonly used to perform Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks.
Trusted Servers
List of trusted SMTP (Simple Mail Transfer Protocol) servers.
Host-to-Gateway (IPsec)
Many remote users typically access organizational resources through the Internet. The organization will have a gateway which secures traffic to and from its servers and authorized users. In this case users establish a SA (Security Association) with the gateway and then a separate SA with the desired server, if required.
Routers
Traffic management devices used to connect different network segments. Operate at Layer 3 (Network Layer) of the OSI Model. Examines each packet and makes routing/forwarding decisions based on destination addresses. Modern versions incorporate the ability to act as application gateways, perform Stateful packet inspection, and IPS (Intrusion Prevention System). ACLs can be configured to inspect traffic to determine whether the traffic should be permitted or allowed across the network interface.
Network Address Translation (NAT)
Translates the private IP address to a public address for routing over the Internet. Specifically IPv4 translation from Private to Public and vice versa.
Proxies
Used to filter out undesirable traffic and prevent employees from accessing potentially malicious websites. Proxy servers take requests from a client system and forwards them to the destination system on the client's behalf. Proxies can be transparent or they can modify the client request before sending the request.
Intrusion Detection Systems (IDS)
Designed to detect, log, and respond to unauthorized network or host use. Can be implemented in software form or as a dedicated hardware device. Host Based Intrusion Detection System (HIDS) Network Based Intrusion Detection System (NIDS) NIDS sits outside of normal network traffic, connected to a SPAN/Mirror port on a switch.
Intrusion Prevention Systems (IPS)
Designed to take direct action against a potential threat. Can be implemented in software form or as a dedicated hardware device. Host Based Intrusion Prevention System (HIPS) Network Based Intrusion Prevention System (NIPS) NIPS sits inline with normal traffic and acts as a pass through point for inspection. Behavior-based IPS can be very effective against zero-day exploits as most have the ability to communicate to a cloud-based vulnerability and threat feed.
E-Mail Encryption
E-mail is by default a plaintext protocol, making e-mail and e-mail attachments subject to eavesdropping anywhere between the sender and receiver. E-mail encryption can be a challenge for organizations due to a lack of uniformed standards. Secure/Multipurpose Internet Mail Extensions (S/MIME) - standards provide a means for PKI (Public Key Infrastructure) use across e-mail channels, however challenges like trust across domains still exist.
Content or Keyword Filtering
Filters e-mail messages for undesirable content or indications of spam.
Basic Packet Filtering
Filters off the source, destination, protocol, and ports. Makes the determination to "Permit" or "Deny" the traffic.
Authentication Header (AH) [IPsec]
When added ensures the integrity of the data/packet and the authenticity of the source. Protects integrity but does not provide privacy. To provide data protection, two header extensions can be used independently or together.
Behavior-based IDS and IPS
-This model monitors what should be considered "normal" traffic behavior on the network. Can assist in the potential detection of "Zero Day Attacks".
Host-to-Host (IPsec)
An IPSec connection between two machines. Simplest connection between two machines. In this case the Internet is not part of the Security Association (SA) between the machines.
Reverse Proxy
A computer or an application program that routes incoming requests to the correct back-end server. Usually configured on the server side of the network connection. Placed in front of web servers. Can assist with Load Balancing functions.
Open Proxy
Available to essentially any Internet user. Controversy has surrounded the use of Open Proxies. Many organizations block the use of them. - Common and often has some anonymizing capabilities. - Often used to circumvent corporate proxies
PTR and Reverse DNS (Domain Naming Service) Checks
Checks the origin domain of e-mail sender. Checks to see if message is possibly coming from home-based broadband, or dynamically assigned IP address.
Hybrid Filtering
Combination of several filtering techniques to combat spam SPAM defense. Most organizations use a hybrid filtering solution.
Rule-Based Management
Common control methodology for configuring systems used for firewalls, proxies, switches, routers, anti-malware, IDS/IPS, etc. to achieve a desired operational state. Desired operational states are defined in such a manner that they can be represented as rules, and a control enforces the rules in operations. As each packet reaches the device, the rule is applied and interpreted.
IDS and IPS Components
Consists of following logical components: Traffic Collector (sensor) - Collects activity/events for the IDS/IPS to examine. Analysis Engine - Examines the collected network traffic and compares it to known patterns or suspected malicious activity. Signature Database - collection of patterns and definitions of known malicious activity. User Interface and reporting - provides alarms/alerts of suspected malicious traffic. Tuning is required to eliminate excessive or unwanted: False Positives and False Negatives
Thin Access Points
Controller-based access point. Basically a radio and antenna that is controlled by a wireless switch. This access point does not contain the management and configuration functions that are found in autonomous access points. The entire configuration takes place at the switch. This usually saves time and money. Controller-based AP solutions allow for centralized management and control, which can facilitate better channel management, better load balancing, and easier deployment of the patches and firmware updates.
Access Point Antenna Types
Depending on the AP, different antennas types may be used. Omnidirectional - Operates in all directions, covers the greatest area per antenna. Yagi - Directional, spreading the RF energy in a more limited field. Panel - Directional, solid room performance while preventing signal bleed behind antenna.
Transport Mode (IPsec)
Encrypts only the data/payload of the IP packet. This mode enables outsiders to see the source and destination addresses. Protection of the data portion is known as content protection.
Tunnel Mode (IPsec)
Encrypts the source and destination addresses of a packet as well as the data/payload itself. This of course provides the greatest security, however it can only be accomplished between two IPsec gateways (servers or routers). Protection in this mode is referred to as context protection.
Spam
Essentially unsolicited or undesired bulk e-mail or other electronic messages. Most spam filtering is done at the network or SMTP (Simple Mail Transfer Protocol) server level. It's more efficient to scan all incoming and outgoing messages at this point in the network.
Content-filtering Proxy
Examines each client request and compares it to a Acceptable Use Policy (AUP). Is able to filter off the URL or content of requested information.
Firewalls
Hardware, software, or both that usually resides on the perimeter/edge of networks to stop unauthorized users/attacks from accessing the network. Commonly found throughout today's enterprise networks as hardware devices and installed software. Used for implementing a DMZ topology. Designed to filter network traffic based on Security Policies implemented by the Administrator. Modern firewalls work off the principle of "IMPLICIT DENY". Firewalls can make decisions on these factors and others incorporating "least access" Source Address Destination Address Protocol Port Application-layer details
Time Synchronization (SIEM)
It's essential to have a common time standard for all systems.
Application Layer Proxies
Packets are not allowed to traverse the firewall, but data instead flows up to an application that in turn decides what to do with it. Allowing for deep packet inspection. Commonly used with mail servers and web servers.
Virtual Private Networks (VPNs)
Provides a secure communication channel between users/systems across untrusted or public networks. Most common implementation of VPN is IPsec. Optionally implemented for the protection of IPv4 however required with IPv6.
Encapsulating Header (ESP) [IPsec]
Provides security services for the higher-level protocol portion of the packet only and not the header. ESP provides confidentiality, but does not protect the integrity of the packet. If both are required, they need to be combined.
Data Loss Prevention (DLP_)
Technology employed to detect and prevent transfers of data across an enterprise. This technology can be tuned to detect account numbers, secrets, specific markers, or files. Ex: There are concerns that documents containing PII are being printed and may result in a security violation. DLP can be utilized to prevent this unwanted action from taking place. In house penetration testers have been asked to exfiltrate data utilizing steganography in attempt to bypass the DLP system. Scanning e-mails containing unusually larger image files could detect this attempted action. Scanning for unauthorized use of removable media like USB devices.
IPsec Traffic Security and Key Management
Two Traffic Security Protocols: Authentication Header (AH), default port 51 Encapsulating Header (ESP), default port 50 In addition there are three protocols for key management and exchange: Internet Security Association and Key Management Protocol (ISAKMP) Oakley Secure Key Exchange Mechanism for Internet (SKEMI) The three key management protocols can be referred to as Internet Key Management Protocol (IKMP) or Internet Key Exchange (IKE) on default port UDP/500.
Gateway-to-Gateway (IPsec)
Two security devices are placed in the data stream, relieving the hosts of the calculation and encapsulation duties. The two gateways create a security association (SA) between them.
Statistical Content Filtering
Users mark received messages as either SPAM or legitimate mail. Filtering system learns what to filter from the user's input.
Security Information and Event Management (SIEM)
A combination of hardware and software designed to classify and analyze security data. A method for analyzing risk in software systems. It is a centralized collection of monitoring of security and event logs from different systems. Allows for the correlation of different events and early detection of attacks.
Transport Layer Security (TLS)
A data encryption technology used for securing data transmitted over the Internet. The successor to Secure Sockets Layer (SSL), can be used to exchange keys and create a secure tunnel that enables a secure communication across a public network. Has some advantages over IPSec-based VPNs when networks are heavily NAT (Network Address Translation) encoded, IPSec-based VPNs can have issues crossing multiple NAT domains.
Hardware Security Module (HSM)
A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protecting log files, etc. Can assist in cryptographic operations such as encryption, hashing, or the application of digital signatures. Storing private keys on it can allow the use of the key without exposing them to a wide range of host-based threats. Can be placed in front of servers as a centralized storage point for encryption keys.
Stateful Packet Filtering
A firewall technology that keeps a record of the state of a connection between an internal computer and an external server and then makes decisions based on the connection as well as the rule base. Maintains the state of connections. Allows return traffic originating from the trusted interface back into the source device. Provides inspection at the most layers of the OSI model.
IPSec (Internet Protocol Security)
A framework and suite of protocols that form protection for the natively insecure nature of IPv4. Although optional with IPv4 it is an option that offers transport encryption. Transport encryption offers protection and confidentiality, integrity, and authenticity for data passing between two points and is impervious to today's most Advanced Persistent Threats (APT). IPsec is designed to provide access control, connectionless integrity, traffic-flow confidentiality, rejection or replayed packets, data security (encryption), and source authentication. IPsec has two defined modes: Transport mode and Tunnel mode It is possible to use both; Ex. Using transport mode within one's own network to reach an IPsec server, which then tunnels to the target server's network.
Media Gateway
A gateway capable of accepting connections from multiple devices (for example, IP telephones, traditional telephones, IP fax machines, traditional fax machines, and so on) and translating analog signals into packetized, digital signals, and vice versa. Translates different protocols to common protocols. A wide range of media protocols exist and can make communication challenging at times.
Switches
A layer 2 device that is used to connect two or more network segments and regulate traffic. Primary connection point in most Ethernet-based LANs. Implements separate collision domains and allows for full duplex communication. Operates at Layer 2 (Data Link Layer) of the OSI Model. Switches forward traffic based on MAC Addresses. Modern switches have the ability to implement and enforce security policies such as: MAC Filtering Port Security Flood Control 802.1X (EAP over Ethernet / Port-based Authentication)
Service Set Identifier (SSID)
A network name/unique 32 character identifier attached to the header of the packet that wireless routers use to identify themselves. The most basic form of authentication that 802.11 performs when connecting to an AP. Broadcast by default as a network name. Best practice is to rename the default and disable its broadcast, though it would still be vulnerable to being discovered by a network sniffer
Blacklisting
Rejecting domains or source addresses know for sending spam.
Signature-based IDS and IPS
Relies on a predefined set of patterns (signatures). Has the ability to offer fast processing however relies on the proper signature database to be effective.
Static Learning (Port Security)
A specific MAC address is assigned to the switch port. Usually configured by the administrator prior to devices connecting. Typically used for fixed/static components i.e. (printers and servers)
VPN Concentrators
Allow multiple VPN connections to terminate at a single point. Choice of proper ciphers on VPN concentrators is important to implement properly. A mixture of strong and weak ciphers could result in an attacker performing a downgrade attack and the IPSEC payload could revert to a 16-bit sequence number.
Caching Proxy
- Keeps local copies of popular client requests (if time to live is still valid) and is often used in large organizations to reduce bandwidth usage and increase performance. - Conserves network resources - Keeps a copy in memory Keeps a local cache of client requests, assisting in reducing bandwidth utilization in large organizations.
Always-On VPN
A VPN that allows the user to always stay connected instead of connecting and disconnecting from it. Can self configure and connect once an Internet connection is sensed and provide VPN functionality without user intervention.
Heuristic-based IDS and IPS
Relies on Artificial Intelligence to detect potential threats. Uses a set of algorithms to understand if traffic is malicious or not i.e. (URL containing 10 numbers is a potential threat, then 11 is worse and 20 is even worse). This model lies somewhere between signature based and behavior based.
Router Security Policies/Configuration
Routers are the backbone of internal and external networks. Proper steps need to be taken to mitigate potential threats and reduce vulnerabilities: Restrict the use of insecure remote access protocols (i.e. Telnet and SNMP v1 and v2) Use secure remote access protocols like SSH and SNMPv3 Change default usernames and passwords used to connect to the device Disable unused ports and services reducing the attack surface Restrict physical access to the device (enforce multi-factor authentication) Place routers in secure rooms and locations with access control logging
Full Tunnel VPN
Routes all traffic over the VPN, providing protection to all networking traffic.
Automated Alerting and Triggering
SIEMs (Security Information and Event Management) have the ability through a set of rules and the use of analytical engines to identify predetermined patterns and either issue an alert or react to them.
Access Control Lists (ACL)
Security Policies that define what traffic is permissible (allowed) and what traffic is blocked (denied). A rule-set specifying the specific action the firewall should take during the inspection process. Processed in a top down fashion, taking action based on the first matching statement.
Anomaly-based IDS and IPS
Similar to behavior based, understands what "normal" behavior/traffic should look like and recognizes deviations from that. Ability to see command sequences that aren't conducive to the operating system/don't match the OS i.e. (Linux commands sent to a Windows device).
Rule-based Filtering
Simple technique that looks for matches in certain fields or keywords.
Web Proxy
Solely designed to handle web traffic and often referred to as a web cache.
Fat Access Points
Standalone access points. Autonomous/Intelligent. Has everything it needs to handle wireless clients. If the end-user deploys several, they need to be configured individually. Small standalone Wi-Fi access points can have substantial capabilities with respect to authentication, encryption, and even to a degree channel management.
Switch Hardening
Switches have become widely dispersed devices in today's network and should be properly protected and hardened: Restrict the use of insecure remote access protocols (i.e. Telnet and SNMP v1 and v2) Use secure remote access protocols like SSH and SNMPv3 Change default usernames and passwords used to connect to the device Disable unused ports and services reducing the attack surface Restrict physical access to the device (enforce multi-factor authentication) Place switches in secure rooms and locations with access control logging
Loop Protection
Technique to prevent broadcast storms by using the IEEE 802.1d standard spanning-tree algorithm (STA). Switches operating at Layer 2 (Data Link Layer) don't have a count down mechanism to kill packets that get caught in loops. Switching loops occur when traffic continues to transit across multiple switches that are interconnected. Loops that go un-corrected will result in what is known as a "Broadcast Storm" . Incorrectly cabled or connected switches Mitigated with the implementation of 802.1D (Spanning Tree Protocol)
Wireless Access Points (APs)
The point of entry and exit for radio-based network signals into and out of a network. As wireless has become more capable in all aspects of networking, wireless-based networks are replacing cabled, or wired, solutions.
Event Deduplication (SIEM)
The practice in SIEM that tries to narrow events down by eliminating duplicate events. Assists security analysts by reducing clutter in a dataset that can obscure real events that have meaning.
Egress Filtering
The practice of monitoring and potentially restricting the flow of information outbound from one network to another. Performs filtering on e-mail messages leaving the organization.
Secure Network Administration Principles
The principles used to ensure network security, including properly configuring hardware and software and properly performing operations and maintenance. Networks are composed of hardware and software, operated under policies and procedures that define desired operating conditions.
SSL (Secure Sockets Layer)/TLS (Transport Layer Security) Accelerators
The process of encrypting traffic per SSL/TLS protocols can be a computer-intensive effort Accelerator includes hardware based SSL/TLS operations to handle the throughput, and it acts as a transparent device.
Media Access Control (MAC) filtering
The selective admission of devices based on their MAC address. Deployed on switches as a means of machine authentication. Wireless networks allow the MAC address to be discovered making them susceptible to MAC Spoofing. Ex: May be used in a case where malicious traffic from an internal network has been detected on an unauthorized port on an application server. An engineer could apply MAC filtering to the network or server to prevent this from taking place.
Network Access Control (NAC)
The set of standards defined by the network for clients attempting to access it. Usually, requires that clients be virus free and adhere to specified policies before allowing them on the network. The ability to manage and screen connecting endpoints on a case-by-case basis. Provides the ability for organizations to conduct health screens and compliance validation against devices connecting to enterprise networks. Increased popularity of BYOD and tele-workers, and has great benefits in validating connecting devices. There are two popular variations: NAP (Network Access Protection) Microsoft implementation NAC (Network Access Control) Cisco implementation
Dynamic Sticky (Port Security)
The switch will dynamically learn MAC address for devices. Table to will stay consistent even in the event of a power cycle of the device
Dynamic Learning (Port Security)
The switch will learn the MAC address for a specified number of connecting devices. Susceptible to power cycles due to table containing learned MAC addresses being volatile (forgotten when the device is turned off).
Host-to-Host and Gateway-to-Gateway (IPsec)
This implementation will implement a combination between the two IPsec connection types. A separate SA (Security Association) will be negotiated between the gateways, and another negotiated between the hosts. This is essentially a tunnel inside a tunnel.
Antenna Placement
Wi-Fi by nature is a radio-based communication method, so antenna placement is critical to prevent bleed-over outside buildings. Antennas come in a variety of types: High-gain antennas deal with weaker signals but have shorter coverage Omnidirectional cover wider areas, but at lower levels of gain Maximize the coverage over a physical area and reduce low-gain areas (interference)..
Wi-Fi Power Level Controls
Wi-Fi power levels can be controlled by hardware for a variety of reasons. Lower the power, the less opportunity for interference. Complex environments allow signal controls to increase capacity and control on the network. Lower antenna power levels in areas like conference rooms or any where access needs to be restricted.
