1.3 Objectives
Cloud Management features
* Network-wide visibility and control * Self-provisioning for rapid deployment * Automatic reporting * Seamless firmware updates * Central Management * Application Control * Guest Wi-Fi * Enterprise Security * Teleworker VPN * Device Management
bastion host
A bastion host may or may not be a firewall. The term refers to the position of any device. If the device is exposed directly to the Internet or to any untrusted network while screening the rest of the network from exposure, it is a bastion host. Whether the bastion host is a firewall, a DNS server, or a web server, all standard hardening procedures are especially important because this device is exposed. Any unnecessary services should be stopped, all unneeded ports should be closed, and all security patches must be up to date. These procedures are referred to as reducing the attack surface . Some other examples of bastion hosts are FTP servers, DNS servers, web servers, and email servers.
load balancing
A computer method for distributing workload across multiple computing resources.
proxy firewall
A firewall that stands between a connection from the outside and the inside and makes the connection on behalf of the endpoints. With a proxy firewall, there is no direct connection.
Host-based application firewall
A host-based application firewall can monitor any application input, output, and/or system service calls made from, to, or by an application this is done by examining information passed through system calls instead of, or in addition to, a network stack. A host-based application firewall can only provide protection to the applications running on the same host. An example of a host-based application firewall that controls system service calls by an application is AppArmor or the Mac OS X application firewall. Host-based application firewalls may also provide network-based application firewalling.
mesh network
A mesh network is a network in which all nodes cooperate to relay data and are all connected to one another. To ensure complete availability, continuous connections are provided by using self-healing algorithms that are used to route around broken or blocked paths.
Network flow data
A network flow is a single conversation or session that shares certain characteristics between two devices. Tools and utilities such as Cisco's NetFlow Analyzer can organize these conversations for purposes of traffic analysis and planning. You can set tools like this to define the conversations on the basis of various combinations of the following characteristics: ■ Ingress interface ■ Source IP address ■ Destination IP address ■ IP protocol ■ Source port for UDP or TCP ■ Destination port for UDP or TCP and type and code for ICMP (with type and code set as 0 for protocols other than ICMP) ■ IP type of service The most Net flow identifiers are source and destination IP addresses and source and destination port numbers. You can use the nfdump command-line tool to extract network flow information for a particular flow or conversation. Attached screen capture is an example. In this example, in the first flow, a packet is sent from the host machine using 127.0.0.1 with a port number of 24920 to a machine at 192.168.0.1 directed to port 22126. The second flow is the response from the device at 192.168.0.1 to the original source port of 24920.
NIDS
A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans, or even attempts to crack into computers by monitoring network traffic. A NIDS reads all the incoming packets and tries to find suspicious patterns known as signatures or rules. It also tries to detect incoming shell codes in the same manner that an ordinary intrusion detection systems does.
NextGen firewalls
A next-generation firewall (NGFW) is a hardware- or software-based network security system that is able to detect and block sophisticated attacks by enforcing security policies at the application level, as well as at the port and protocol level. Next-generation firewalls integrate three key assets: enterprise firewall capabilities, an intrusion prevention system (IPS) and application control. Like the introduction of stateful inspection in first-generation firewalls, NGFWs bring additional context to the firewall's decision-making process by providing it with the ability to understand the details of the Web application traffic passing through it and taking action to block traffic that might exploit vulnerabilities.
Virtual Firewalls Advantages
Advantages of virtual firewalls include: ■ They offer cost savings. ■ They are easy to implement. ■ Their simple functionality reduces integration issues.
Change Monitoring
All networks evolve, grow, and change over time. Companies and their processes also evolve and change, which is a good thing. But change should be managed in a structured way to maintain a common sense of purpose about the changes. By following recommended steps in a formal process, you can prevent change from becoming the tail that wags the dog. The following guidelines should be a part of any change control policy: ■ All changes should be formally requested. ■ Each request should be analyzed to ensure that it supports all goals and polices. ■ Prior to formal approval, all costs and effects of the methods of implementation should be reviewed. ■ Once approved, the change steps should be developed ■ During implementation, incremental testing should occur, relying on a predetermined fallback strategy if necessary. ■ Complete documentation should be produced and submitted with a formal report to management.
protocol analyzer
Also called sniffers, these devices can capture raw data frames from a network. They can be used as a security and performance tool. Many protocol analyzers can organize and graph the information they collect. Graphs are great for visually identifying trends and patterns.
IPS
An IPS, or intrusion prevention system is used in computer security. It provides policies and rules for network traffic along with an intrusion detection system for alerting system or network administrators to suspicious traffic, but allows the administrator to provide the action upon being alerted. Some compare an IPS to a combination of IDS and an application layer firewall for protection.
Placement of devices
Antenna placement can be crucial in allowing clients to reach the wireless access point. There isn't a universal solution to this issue, and it depends on the environment in which the access point is placed. As a general rule, the greater the distance the signal must travel, the more it will attenuate, but you can lose a signal quickly over a short distance as well if the building materials reflect or absorb the signal. You should try to avoid placing access points near metal (which includes appliances) or near the ground. Placing them in the center of the area to be served and high enough to get around most obstacles is recommended. On the chance that the signal is actually traveling too far, some access points include power level controls, which allow you to reduce the amount of output provided.
Application and protocol aware technologies
Application-aware networking is the capacity of an intelligent network to maintain current information about applications that connect to it and, as a result, optimize their functioning as well as that of other applications or systems that they control. The information maintained includes application state and resource requirements.
application-level proxy
Application-level proxy is a type of Proxy firewall. Take note that a Proxy firewall stands between an internal-to-external connection and makes the connection on behalf of the endpoints. Application-level proxy perform a type of deep packet inspection (inspection up to layer 7). This type of firewall understands the details of the communication process at layer 7 for the application. An application-level firewall maintains a different proxy function for each protocol. For example, the proxy will be able to read and filter HTTP traffic based on specific HTTP commands. Operating at this layer requires each packet to be completely opened and closed, giving this firewall the most impact on performance.
Challenge Handshake Authentication Protocol (CHAP)
CHAP solves the cleartext problem by operating without sending the credentials across the link. The server sends the client a set of random text called a challenge. The client encrypts the text with the password and sends it back. The server then decrypts it with the same password and compares the result with what was sent originally. If the results match, then the server can be assured that the user or system possesses the correct password without ever needing to send it across the untrusted network. Versions of CHAP are: * MS-CHAP v1 * MS-CHAP v2
circuit-level proxy
Circuit-level proxy is another type of Proxy firewall as opposed to an Application-level proxy. Take note that a Proxy firewall stands between an internal-to-external connection and makes the connection on behalf of the endpoints. Circuit-level proxy operate at the session layer (layer 5) of the OSI model. This type of proxy makes decisions based on the protocol header and session layer information. Because it does no deep packet inspection (at layer 7, or the application layer), this type of proxy is considered application independent and can be used for wide range of layer 7 protocols. A SOCKS firewall is an example of a circuit-level firewall. It requires a SOCKS client on the computers. Many vendors have integrated their software with SOCKS to make it easier to use this type of firewall.
Configuration Lockdown
Configuration lockdown (sometimes also called system lockdown) is a setting that can be implemented on devices including servers, routers, switches, firewalls, and virtual hosts. You set it on a device once that device is correctly configured. It prevents any changes to the configuration, even by users who formerly had the right to configure the device. This setting helps support change control. Full testing for functionality of all services and applications should be performed prior to implementing this setting. Many products that provide this functionality offer a test mode, in which you can log any problems the current configuration causes without allowing the problems to completely manifest on the network. This allows you to identify and correct any problems prior to implementing full lockdown.
Database access monitoring - DAM
Database access monitoring (DAM) is a database security technology for monitoring and analyzing database activity that operates independently of the database management system (DBMS) and does not rely on any form of native (DBMS-resident) auditing or native logs such as trace or transaction logs. DAM is typically performed continuously and in real- time. DAM is also an important technology for protecting sensitive databases from external attacks by cybercriminals. According to Gartner, "DAM provides privileged user and application access monitoring that is independent of native database logging and audit functions. It can function as a compensating control for privileged user separation-of-duties issues by monitoring administrator activity. The technology also improves database security by detecting unusual database read and update activity from the application layer. Database event aggregation, correlation, and reporting provide a database audit capability without the need to enable native database audit functions."
Virtual Firewalls Disadvantages
Disadvantages include: ■ There is a performance load on the CPU of the host. ■ Network paths may potentially be suboptimal. ■ If the virtualization infrastructure goes down, troubleshooting requires physically visiting the location. ■ Virtual routers are more prone to configuration errors than are physical routers.
IPv4 and IPv6 nodes
Due to the transition from IPV4 to IPV5, there exists several nodes in a Computer Network. Network nodes will fit into one of the following categories: - IPv4-only node (only runs an IPv4 stack) - IPv6-only node (only runs an IPv6 stack) - IPv6/IPv4 node (runs both an IPv4 & IPv6 stack)
File encryption for "data-at-rest"
Encrypts an individual file so that if it ever ended up in someone else's possession, they could not open it or see the contents. PGP is commonly used to encrypt files.
File Transfer Protocol (FTP)
FTP is a protocol that is responsible for files transfers from one system to another. FTP is insecure in that the username and password are transmitted in cleartext. The original cleartext version uses TCP port 20 for data and TCP port 21 as the control channel. It is not recommended to use FTP when security is a consideration.
FTPS
FTPS is FTP that adds support for the cryptographic protocols Transport Layer Security (TLS) and Secure Sockets Layer (SSL). FTPS uses TCP ports 989 and 990. FTPS is not the same as and should not be confused with another secure version of FTP, SSH File Transfer Protocol (SFTP). Rather, it is an extension of the Secure Shell Protocol (SSH). There have been a number of different versions, with version 6 being the latest. Since it uses SSH for the file transfer, it uses TCP port 22.
Generic Routing Encapsulation (GRE)
Generic Routing Encapsulation (GRE) is one of the methods of transition mechanisms from utilizing IPV4 to IPV6 addressing. GRE can be used to carry IPv6 packets across an IPv4 network by encapsulating them in GRE IPv4 packets.
Hypertext Transfer Protocol Secure (HTTPS)
HTTP Secure (HTTPS) is the implementation of HTTP running over the SSL/TLS protocol, which establishes a secure session using the server's digital certificate. SSL/TLS keeps the session open using a secure channel. HTTPS websites always include the https:// designation at the beginning.
IPv6
IPv6 is an IP addressing scheme designed to provide a virtually unlimited number of IP addresses. It uses 128 bits rather than 32, as in IPv4, and it is represented in hexadecimal rather than dotted-decimal format. Moreover, any implementation of IPv6 requires support built in for Internet Protocol Security (IPsec), which is optional in IPv4. IPsec is used to protect the integrity and confidentiality of the data contained in a packet.
management plane
In Software-Defined Networking (SDN) there exists three planes in its networking architecture: 1. control plane, 2. data plane, and 3. management plane. The Management plane administers the router.
control plane
In Software-Defined Networking (SDN) there exists three planes in its networking architecture: 1. control plane, 2. data plane, and 3. management plane. The control plane carries signaling traffic originating from or destined for a router. This is the information that allows routers to share information and build routing tables.
data plane
In Software-Defined Networking (SDN) there exists three planes in its networking architecture: 1. control plane, 2. data plane, and 3. management plane. The data plane also known as forwarding plane carries user traffic.
Hardware Security Module - HSM
In addition to Trusted Platform Module (TPM), Hardware Security Module (HSM) is also a crypto processor that can be used to enhance security. HSM is commonly used with PKI systems to augment security with CAs. As opposed to being mounted on the motherboard like TPMs, HSMs are traditionally PCI adapters.
UTM
In the broadest sense of the term, any freestanding device that operates in a largely self-contained manner is considered to be an appliance. An all-in-one appliance, also known as Unified Threat Management (UTM) and Next Generation Firewall (NGFW), is one that provides a good foundation for security. When you combine a firewall with other abilities (intrusion prevention, antivirus, content filtering, etc.), what used to be called an all-in-one appliance is now known as a UTM. The advantages of combining everything into one include a reduced learning curve (you only have one product to learn), a single vendor to deal with, and—typically—reduced complexity. The disadvantages of combining everything into one include a potential single point of failure, and the dependence on the one vendor.
Infrastructure as a Service (IaaS)
In this cloud service setup, the vendor provides the hardware platform or data center, and the company installs and manages its own operating systems and application systems. The vendor simply provides access to the data center and maintains that access. An example of this is a company hosting all its web servers with a third party that provides everything. With IaaS, customers can benefit from the dynamic allocation of additional resources in times of high activity, while those same resources are scaled back when not needed, saving money.
Software as a Service (SaaS)
In this cloud service, the vendor provides the entire solution, including the operating system, the infrastructure software, and the application. The vendor may provide an email system, for example, in which it hosts and manages everything for the contracting company. An example of this is a company that contracts to use Salesforce or Intuit QuickBooks using the browser rather than installing the applications on every machine. This frees the customer company from performing updates and other maintenance of the applications.
three-legged firewall
In this configuration, there are three interfaces: one connected to the untrusted network, one to the internal network, and the last to a part of the network called a demilitarized zone (DMZ), a protected network that contains systems that need a higher level of protection. A DMZ might contain web servers, email servers, or DNS servers. The firewall controls the traffic that flows between the three networks, being somewhat careful with traffic destined for the DMZ and treating traffic to the internal network with much more suspicion. Figure below shows the location of a three-legged firewall.
Virtual Networking and Security Components
Increasingly, devices and services are being virtualized, and many of the infrastructure devices that support the network are being virtualized as well and are operating in these virtual environments. Many of the devices listed under the section "Networking Devices" can be virtualized.
SOCKS firewall
Is a circuit-level firewall that requires a SOCKS client on the computers. Many vendors have integrated their software with SOCKS to make it easier to use this type of firewall.
Platform as a Service (PaaS)
Is a cloud service which involves the vendor providing the hardware platform or data center and the software running on the platform. This includes the operating systems and infrastructure software. The company is still involved in managing the system.
Intra-Site Automatic Tunnel Addressing Protocol - ISATAP
It is an automatic tunneling protocol that enables dual-stack devices to transmit IPv6 traffic (encapsulated in IP protocol 41 packets) between each other across an IPv4 backbone. Since ISATAP assumes that multicast is not available on the underlying IPv4 network, it has to have a mechanism for ISATAP hosts to identify potential ISATAP routers to communicate with. You can manually configure this list, but most implementations prefer to use DNS to query the IPv4 network for isatap.company.com (where your local domain is company.com) to identify the location of the ISATAP router. Given an IPv4 address of 172.12.10.5, an ISATAP encodes the IPv4 address into the IPv6 address using the following format: <64-bit network prefix>:0:5EFE:172.12.10.5 (private address) <64-bit network prefix>:200:5EFE:172.12.10.5 (globally unique address) ISATAP is implemented on most platforms and enabled by default on Microsoft devices.
NIPS
Network intrusion prevention system (NIPS) is a hardware/software platform that is designed to analyze, detect, and report on security related events. It is designed to inspect traffic and based on its configuration or security policy, it can drop malicious traffic. It is able to detect events scattered over the network and react.
SSL Inspection
One form of traffic on which it is difficult to perform deep packet inspection for malware and malicious commands is SSL protected traffic. One method of doing so is using a proxy server that supports SSL inspection. When SSL inspection is in use, the proxy server intercepts all SSL traffic, decrypts it, inspects it, and reencrypts it. This process is depicted in attached Figure.
Building Automation and Control Network (BACnet)
One of the best examples of the marriage of IP networks and a system that formerly operated in a silo is heating, ventilation, and air conditioning (HVAC) systems. HVAC systems usually use a protocol called Building Automation and Control Network (BACnet). This is an application, network, and media access (MAC) layer communications service. It can operate over a number of layer 2 protocols, including Ethernet. To use the BACnet protocol in an IP world, BACnet/IP (B/IP) was developed. The BACnet standard makes exclusive use of MAC addresses for all data links, including Ethernet. To support IP, IP addresses are needed. BACnet/IP, Annex J defines an equivalent MAC address composed of a 4-byte IP address followed by a 2-byte UDP port number. A range of 16 UDP port numbers has been registered as hexadecimal BAC0 through BACF. While putting these systems on an IP network makes them more manageable, it has become apparent that these networks should be separate from the internal network. In the infamous Target breach, hackers broke into the network of a company that managed the company's HVAC systems. The intruders leveraged the trust and network access granted to them by Target and then from these internal systems broke into the point-of-sale systems and stole credit and debit card numbers, as well as other personal customer information.
Passive vulnerability scanning
Passive scanning is a method of vulnerability detection that relies on information gleaned from network data that is captured from a target computer without direct interaction. Packet sniffing applications can be used for passive scanning to reveal information such as operating system, known protocols running on non-standard ports and active network applications with known bugs. Passive scanning may be conducted by a network administrator scanning for security vulnerabilities or by an intruder as a preliminary to an active attack.
Cloud-managed networks benefits
Rapid deployment with self-provisioning, self-optimizing hardware Control applications, users and devices Built-in multi-site management Automatic monitoring and alerts
Remote access
Remote access helps in accessing a computer or a network from a remote distance. In corporations, people working in branch offices, telecommuters, and people who are traveling may need to access the corporation's network. Home users can access the Internet through remote access to an Internet service provider (ISP).
Route protection
Route protection is primarily maintained by means of IPSec. IPSec protects networks by securing IP packets with encryption and enforcement of trusted communication. IPSec is the most widely used standard for protecting IP datagrams. Because IPSec can be applied below the application layer, it can be used by any or all applications and is transparent to end-users. IPSec can be configured to communicate in tunnel and transport mode.
Dual Stack- running IPv4 & IPv6 simultaneously
Running a dual stack environment is the simplest way to support IPv4 and IPv6. In this configuration, your devices run two different stacks (IPv4 and IPv6) simultaneously. Therefore, your devices can communicate through either IPv6 or IPv4. Although this appears to give you the best of both worlds, it also presents some interesting security concerns. First, since your devices are running two different stacks, existing ACLs for IPv4 do nothing to stop IPv6 traffic. You may think that this is not a problem since you have not configured IPv6 on your network yet. Think again. Many hosts have IPv6 enabled by default. Combine that with the ability of IPv6 to automatically configure network addresses, and you have a situation in which an attacker can bypass your existing protections and potentially compromise devices on your network, even though you have not yet deployed IPv6.
service-level agreements (SLAs)
SLAs are agreements about the ability of the support system to respond to problems within a certain time frame while providing an agreed level of service. These agreements can be internal between departments or external, with a service provider. Agreeing on the quickness with which various problems are addressed introduces some predictability to the response to problems; this ultimately supports the maintenance of access to resources. The following are some examples of what may be included in an SLA: ■ Loss of connectivity to the DNS server must be restored within a two-hour period. ■ Loss of connectivity to Internet service must be restored in a five-hour period. ■ Loss of connectivity of a host machine must be restored in an eight-hour period.
SHTTP
Secure HTTP (SHTTP) protects HTTP commu- nication in a different manner. SHTTP encrypts only a single communication message, not an entire session (or conversation). SHTTP is not as common as HTTPS.
Transport security protocols : TLS, SSL
Secure Sockets Layer (SSL) is a protocol that provides encryption, server and client authentication, and message integrity. It interfaces with the Application and Transport layer but does not really operate within these layers. SSL was developed by Netscape to transmit private documents over the Internet. While SSL implements either 40-bit (SSL 2.0) or 128-bit (SSL 3.0) encryption, the 40-bit version is susceptible to attacks because of its limited key size. SSL allows an application to have encrypted, authenticated communication across a network. Transport Layer Security (TLS) is an open-community standard that provides many of the same services as SSL. TLS 1.0 is based on SSL 3.0 but is more extensible. The main goal of TLS is privacy and data integrity between two communicating applications. SSL and TLS are most commonly used when data needs to be encrypted while it is being transmitted (in transit) over a medium from one system to another.
SIEM
Security Information and Event Management solutions are a combination of the formerly disparate product categories of SIM (security information management) and SEM (security event management). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes.
Cloud-managed networks use cases
Small branches and low-density deployments Remote employees via built-in VPN capability
screened subnet
Taking the screened host concept from previous term a step further is a screened subnet. In this case, two firewalls are used, and traffic must be inspected at both firewalls before it can enter the internal network. This solution is called a screen subnet because there is a subnet between the two firewalls that can act as a DMZ for resources from the outside world. Figure above shows the placement of the firewalls to create a screened subnet.
Teredo
Teredo gives full IPv6 connectivity for dual-stack hosts that are connected to the Internet, but which have no direct native connection to an IPv6 network. Teredo encapsulates IPv6 data into IPv4 UDP packets and successfully operates through most NAT boundaries. A Teredo IPv6 address is constructed as follows: * Teredo Prefix (2001::/32) + Teredo Server IPv4 address + Flags + Obscured External Port + Obscured External Address Unlike other tunneling protocols, Teredo actually obscures the IPv4 address and port to prevent "smart" NAT devices from translating the information. A Teredo environment is comprised of Teredo clients, Teredo Servers, and Teredo Relays. To communicate with another IPv6 device, a Teredo client encapsulates an ICMPv6 Echo Request to the other device in a UDP packet and sends this to the Teredo server. The server decapsulates the ICMPv6 Echo Request and sends it to the actual IPv6 node. The node will reply with an Echo Reply, but this reply is sent to the appropriate Teredo relay that then contacts the Teredo client. Both the Teredo client and the native IPv6 node utilize the same Teredo relay, which is usually the relay closest to the IPv6 node. This design means that neither the Teredo server nor client needs to know the IPv4 address of any Teredo relays; a suitable one is automatically found by means of the global IPv6 routing table, since all Teredo relays advertise the network 2001:0::/32.
Cloud-managed networks
The Cloud Managed Networking brings the benefits of the cloud to enterprise networking, delivering easy to use, cost effective wired and wireless networks that are centrally managed and control over the web.
802.1x
The IEEE standard 802.1X defines port-based security for wireless network access control. As such, it offers a means of authentication and defines the Extensible Authentication Protocol (EAP) over IEEE 802 and is often known as EAP over LAN (EAPOL). The biggest benefit of using 802.1X is that the access points and the switches do not need to do the authentication but instead rely on the authentication server to do the actual work.
Difference between authentication and identification
The key difference between authentication and identification is that authentication means someone has accurate information, whereas identification means that accurate information is proven to be in possession of the correct individual. The most basic form of authentication is known as single-factor authentication (SFA) because only one set of values is checked. To increase security, it is necessary to use multifactor authentication, which involves two or more values that are checked.
IPv4 to IPv6 transition mechanisms
The transition mechanisms from IPv4 to IPv6 fall into the following categories: - Dual Stack - running IPv4 & IPv6 simultaneously - Tunneling - IPv6 over IPv4 & IPv4 over IPv6 - Translation - IPv4 to IPv6 & IPv6 to IPv4
packet filtering firewall
The type of firewall that is the least detrimental to throughput as it only inspects the header of the packet for allowed IP addresses or port numbers.
virtual local area network, switch (VLAN)
These are logical subdivisions of a switch that segregate ports from one another as if they were in different LANs. VLANs can also span multiple switches, meaning that devices connected to switches in different parts of a network can be placed in the same VLAN, regardless of physical location. A VLAN adds a layer of separation between sensitive devices and the rest of the network. For example, if only two devices should be able to connect to the HR server, the two devices and the HR server could be placed in a VLAN separate from the other VLANs. Traffic between VLANs can only occur through a router. Routers can be used to implement access control lists (ACLs) that control the traffic allowed between VLANs.
Change Control Process, Steps of
These are the steps in a formal change control process: 1. Submit/resubmit a change request. 2. Review the change request. 3. Coordinate the change. 4. Implement the change. 5. Measure the results of the change.
stateful firewall
These firewalls are aware of the proper functioning of the TCP handshake, keep track of the state of all connections with respect to this process, and can recognize when packets are trying to enter the network that don't make sense in the context of the TCP handshake. A stateful firewall also has the ability to recognize other attack types that attempt to misuse this process. It does this by maintaining a state table about all current connections and where each connection is in the process. This allows it to recognize any traffic that doesn't make sense with the current state of the connections. Of course, maintaining this table and referencing the table cause this firewall type to have a larger effect on performance than does a packet-filtering firewall.
failsoft
This is the capability of a system to terminate noncritical processes when a failure occurs.
failover
This is the capacity of a system to switch over to a backup system if a failure in the primary system occurs.
mean time between failures (MTBF)
This metric describes the average amount of time between failures during normal operations.
mean time to repair (MTTR)
This metric describes the average amount of time it will take to get the device fixed and back online.
Transport encryption
This protects the file as it travels over protocols such as FTPS (SSL), SFTP (SSH), and HTTPS. Leading solutions use encryption strengths up to 256-bit.
clustering
This refers to a software product that provides load balancing services. With clustering, one instance of an application server acts as a master controller and distributes requests to multiple instances, using round-robin, weighted round-robin, or a least-connections algorithm.
Remote Access Services - RAS
This refers to any server service that offers the ability to connect remote systems. The current Microsoft product for Windows-based clients is called Routing and Remote Access Services (RRAS), but it was previously known as Remote Access Services (RAS). Because of this, you'll encounter the term RAS used interchangeably to describe both the Microsoft product and the process of connecting to remote systems. The RAS connection is accomplished via dial-up (plain-old telephone service [POTS] and a modem) or network technologies such as VPNs, ISDN, DSL, and cable modems. RAS connections may be secure or in the clear, depending on the protocols that are used in the connection. A popular method of remote access that allows customer service technicians to take over the mouse and keyboard functions of a remote workstation is through the use of PC Anywhere and similar remote connection/virtual network programs. A major issue with Virtual Network Computing (VNC) is that you are leaving open a door into the network that anyone may stumble upon. By default, most of these programs start the server service automatically, and it is running even when it is not truly needed.
Tunnelling
This refers to creating a virtual dedicated connection between two systems or networks. You create the tunnel between the two ends by encapsulating the data in a mutually agreed-upon protocol for transmission. In most tunnels, the data passed through the tunnel appears at the other side as part of the network.
kernel proxy firewall
This type of firewall is an example of a fifth-generation firewall. It inspects a packet at every layer of the OSI model but does not introduce the same performance hit as an application-layer firewall because it does this at the kernel layer. It also follows the proxy model in that it stands between two systems and creates connections on their behalf. Placement of a Kernel proxy firewall is as close to the system it is protecting as possible.
Compatibility Addressing
To enable interoperability between IPv4 hosts and IPv6 hosts, you need a way to encode the 32 bit, IPv4 address inside of the 128 bit, IPv6 address. This enables both the automatic tunneling of IPv6 traffic across an IPv4 network, as well as translation between IPv4 and IPv6 networks. Because of the size of the IPv6 address, numerous methods have been developed for encoding an IPv4 address inside of an IPv6 address. For instance, to maintain backward compatibility with IPv4, RFC 4291 defines both IPv4-compatible and IPv4-mapped addresses (both types begin with 80 0's) to provide a direct mapping for IPv4 addresses in IPv6. Various tunneling protocols such as ISATAP, 6to4, and Teredo also encode the IPv4 address in the IPv6 address.
Secure configuration and baselining of networking and security components
To take advantage of all the available security features on the various security devices discussed so far: * proper configuration and * management of configurations must take place. This requires a consistent change process and some method of restricting administrative access to devices. This sections explore both issues.
Transport security protocols TLS, SSL
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security for communications over networks, such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end. Several versions of the protocols are in widespread use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voiceover-IP (VoIP). The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. TLS provides RSA security with 1024 and 2048 bit strengths.
trunk links
Trunk links are links between switches and between routers and switches that carry the traffic of multiple VLANs. Normally when a hacker is trying to capture traffic with a protocol analyzer, she is confined to capturing only unicast data on the same switch port to which she is attached and only broadcasting and multicasting data from the same VLAN to which her port is a member. However, if a hacker is able to create a trunk link with one of your switches, she can now capture traffic in all VLANs on the trunk link. In most cases, it is difficult for her to do so, but on Cisco switches, it is possible for the hacker to take advantage of the operations of a protocol called Dynamic Trunking Protocol (DTP) to create a trunk link quite easily. DTP allows two switches to form a trunk link automatically, based on their settings. A switch port can be configured with the following possible settings: ■ Trunk (hard-coded to be a trunk) ■ Access (hard-coded to be an access port) ■ Dynamic desirable (in which case the port is willing to form a trunk and will actively attempt to form a trunk) ■ Dynamic auto (in which case the port is willing to form a trunk but will not initiate the process) If your switch port is set to either dynamic desirable or dynamic auto, it would be easy for a hacker to connect a switch to that port, set his port to dynamic desirable, and thereby form a trunk. This attack, called switch spoofing , is shown in Figure above. All switch ports should be hard-coded to trunk or access, and DTP should not be used.
Trunking security
Trunking security is an important concern when discussing VLANs. VLANs started as a security and traffic control used to separate network traffic. The VLAN model works by separating its users into workgroups, such as engineering, marketing, and sales. Today, many companies prefer campus-wide VLANs because VLANs have to span and be trunked across the entire network. A trunk is simply a link between two switches that carries more than one VLAN's data. From a security perspective, this is a concern. If an attacker can get access to the trunked connection, they can potentially jump from one VLAN to another. This is called VLAN hopping. It is very important to make sure that trunked connections are secure so that malicious activity cannot occur. Cisco has several ways to incorporate VLAN traffic for trunking. These techniques may include the IEEE's implementation of 802.1Q or Cisco's Inter-Switch Link (ISL).
Tunnelling protocols
Tunnelling protocols usually include data security as well as encryption. Several popular standards have emerged for tunnelling, with the most popular being the Layer 2 Tunnelling Protocol (L2TP).
Virtual Network Computing (VNC)
VNC operates much like RDP but uses the Remote Frame Buffer (RFB) protocol. Unlike RDP, VNC is platform independent. For example, it could be used to transmit between a Linux server and an OS X laptop. The VNC system contains the following components: ■ The VNC server is the program on the machine that shares its screen. ■ The VNC client (or viewer) is the program that watches, controls, and interacts with the server. ■ The VNC protocol (RFB) is used to communicate between the VNC server and client.
virtual private network (VPN)
Virtual private network (VPN) connections use an untrusted carrier network but provide protection of the information through strong authentication protocols and encryption mechanisms. While we typically use the most untrusted network—the Internet—as the classic example, and most VPNs do travel through the Internet, a VPN can be used with interior networks as well whenever traffic needs to be protected from prying eyes. In VPN operations, entire protocols wrap around other protocols when this process occurs. They include: ■ A LAN protocol (required) ■ A remote access or line protocol (required) ■ An authentication protocol (optional) ■ An encryption protocol (optional) A device that terminates multiple VPN connections is called a VPN concentrator. VPN concentrators incorporate the most advanced encryption and authentication techniques available.
Virtual Proxy Servers
Virtual proxy servers, like their physical counterparts, act as intermediaries for requests from clients seeking resources from other servers. There are no differences between securing actual and virtual servers. See the treatment of proxy servers in the section "Networking Devices."
Virtual Firewalls
Virtual routers are actually software instances of physical routers and in some implementations are instances that operate inside a physical router. Traditionally, routers contribute to a single routing table, but when multiple virtual routers are created on a physical router, each has its own routing table. Service providers use these to separate customer networks from one another.
Screened Host Firewall
While other typically connect directly to the untrusted network (at least one interface does), a screened host is a firewall that is between the final router and the internal network. When traffic comes into the router and is forwarded to the firewall, it is inspected before going into the internal network. This configuration is very similar to that of a dual-homed firewall; the difference is that the separation between the perimeter network and the internal network is logical and not physical. There is only a single interface. The location of a screened host firewall is shown below:
Complex Network Security Solutions for Data Flow
While securing the information that traverses the network is probably the most obvious duty of the security professional, having an awareness of the type of traffic that is generated on the network is just as important. For both security and performance reasons, you need to understand the amount of various traffic types and the source of each type of traffic. The following sections talk about what data flows are and how to protect sensitive flows.
Access Control Lists - (ACLs)
______ are rule sets that can be implemented on firewalls, switches, and other infrastructure devices to control access. There are other uses of ______, such as to identify traffic for the purpose of applying Quality of Service (QoS), but the focus here is on using _______ to restrict access to the devices. Many of the devices in question have web interfaces that can be used for management, but many are also managed through a command-line interface (and many technicians prefer this method). _______ can be applied to these virtual terminal interfaces to control which users (based on their IP addresses) have access and which do not. When creating ______ rule sets, keep the following design considerations in mind: ■ The order of the rules is important. If traffic matches a rule, the action specified by the rule will be applied, and no other rules will be read. Place more specific rules at the top of the list and more general rules at the bottom. ■ On many devices (such as Cisco routers), an implied deny all rule is located at the end of all ACLs. If you are unsure, it is always best to configure an explicit deny all rule at the end of an ACL list. ■ It is also possible to log all traffic that meets any of the rules.
in-line network encryptor (INE)
also called a high-assurance Internet Protocol encryptor (HAIPE), is a Type I encryption device. Type I designation indicates that it is a system certified by the NSA for use in securing U.S. government classified documents. To achieve this designation, the system must use NSA-approved algorithms. Such systems are seen in governmental, particularly DoD, deployments.
storage area network (SAN)
are comprised of high-capacity storage devices that are connected by a high-speed private network (separate from the LAN) using a storage-specific switch. This storage information architecture addresses the collection of data, management of data, and use of data.
6to4
enables dual-stack devices to transmit IPv6 traffic across an IPv4 backbone via 6to4 relay servers without the need to manually configure tunnels. Similar to ISATAP, the tunneled IPv6 traffic is encapsulated in IP protocol 41 packets on the IPv4 network.
dual-homed firewall
has two network interfaces: one pointing to the internal network and another connected to the untrusted network. In many cases, routing between these interfaces is turned off. The firewall software will allow or deny traffic between the two interfaces based on the firewall rules configured by the administrator. The danger of relying on a single dual-homed firewall is that there is a single point of failure. If this device is compromised, the network is compromised, too. If it suffers a denial of service attack, no traffic will pass. Neither is a good situation.
Redundant Array of Inexpensive/Independent Disks (RAID)
is a hard drive technology in which data is written across multiple disks in such a way that a disk can fail and the data can be quickly made available by remaking disks in the array without resorting to a backup tape. The most common types of RAID are: RAID 0, RAID 1, RAID 3, RAID 5, RAID 7.
signature-based detection
is a method used by Network intrusion detection systems to discover threats by comparing traffic with preconfigured attack patterns known as signatures.
statistical anomaly-based detection
is a method used by Network intrusion detection systems to discover threats. It determines the normal network activity and alerts when traffic that is anomalous (not normal) is detected.
stateful protocol analysis detection
is a method used by Network intrusion detection systems to discover threats. It identifies deviations by comparing observed events with predetermined profiles of generally accepted definitions of benign activity.
Remote Desktop Protocol (RDP)
is a proprietary protocol developed by Microsoft that provides a graphical interface to connect to another computer over a network connection. Unlike Telnet and SSH, which allow only working from the command line, RDP enables you to work on a remote computer as if you were actually sitting at its console. While RDP can be used for remote connections to a machine, it can also be used to connect users to a virtual desktop infrastructure (VDI). This allows the user to connect from anywhere and work from a virtual desktop. Each user may have his or her own virtual machine (VM) image, or many users may use images based on the same VM.
Internet Protocol Security (IPsec)
is a suite of protocols that establishes a secure channel between two devices. IPsec is commonly implemented over VPNs. IPsec provides traffic analysis protection by determining the algorithms to use and implementing any cryptographic keys required for IPsec. IPsec includes Authentication Header (AH), Encapsulating Security Payload (ESP), and security associations. AH provides authentication and integrity, whereas ESP provides authentication, integrity, and encryption (confidentiality). A Security Association (SA) is a record of a device's configuration that needs to participate in IPsec communication. A Security Parameter Index (SPI) is a type of table that tracks the different SAs used and ensures that a device uses the appropriate SA to communicate with another device. Each device has its own SPI. IPsec runs in one of two modes: transport mode or tunnel mode. Transport mode protects only the message payload, whereas tunnel mode protects the payload, routing, and header information. Both of these modes can be used for gateway-to-gateway or host-to-gateway IPsec communication.
Secure Shell (SSH)
is an application and protocol that is used to remotely log in to another computer using a secure tunnel. After the secure channel is established after a session key is exchanged, all communication between the two computers is encrypted over the secure channel. SSH is a solution that could be used to remotely access devices, including switches, routers, and servers. SSH is preferred over Telnet because Telnet does not secure the communication.
Software-defined networking - SDN
is an emerging architecture that is dynamic, manageable, cost-effective, and adaptable, making it ideal for the high-bandwidth, dynamic nature of today's applications. This architecture decouples the network control and forwarding functions enabling the network control to become directly programmable and the underlying infrastructure to be abstracted for applications and network services. The OpenFlow® protocol is a foundational element for building SDN solutions. The SDN architecture is: * Directly programmable - Network control is directly programmable because it is decoupled from forwarding functions. * Agile - Abstracting control from forwarding lets administrators dynamically adjust network-wide traffic flow to meet changing needs. * Centrally managed - Network intelligence is (logically) centralized in software-based SDN controllers that maintain a global view of the network, which appears to applications and policy engines as a single, logical switch. * Programmatically configured - SDN lets network managers configure, manage, secure, and optimize network resources very quickly via dynamic, automated SDN programs, which they can write themselves because the programs do not depend on proprietary software. * Open standards-based and vendor-neutral - When implemented through open standards, SDN simplifies network design and operation because instructions are provided by SDN controllers instead of multiple, vendor-specific devices and protocols.
Database activity monitoring and prevention - DAMP
is an extension to DAM that goes beyond monitoring and alerting to also block unauthorized activities. DAM helps businesses address regulatory compliance mandates like the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the SarbanesOxley Act (SOX), U.S. government regulations and EU regulations.
Secure Sockets Layer (SSL)
is another option for creating secure connections to servers. It works at the application layer of the OSI model. It is used mainly to protect HTTP traffic or web servers. Its functionality is embedded in most browsers, and its use typically requires no action on the part of the user. It is widely used to secure Internet transactions. It can be implemented in two ways: * SSL portal VPN * SSL tunnel VPN
Password Authentication Protocol (PAP)
is one type of network authentication method and an authentication protocol. PAP provides authentication, but the credentials are sent in cleartext and can be read with a sniffer. A better alternative is Challenge-Handshake Authentication Protocol (CHAP), which never passes the credentials across the network.