Network

Security
Security Appliance
The term security appliance is a general term used to describe a network device that
performs some kind of security function. The most well-known security appliance is the
firewall. A firewall is a network device used to enforce certain security rules that govern
how traffic may flow, such as allowing certain types of traffic and denying other types of
traffic. Other types of security appliances include an intrusion detection system (IDS) or
intrusion prevention system (IPS).

Secure Protocols
Protocols that encrypt data as it traverses the network. The two most commonly used
secure protocols are:

• Secure Socket Layer/Transport Layer Security (SSL/TLS)

• Secure Shell (SSH)

Ports
There are both physical and logical ports, similar to how we have both physical addresses (MAC address) and
logical addresses (IP address), as discussed previously.

A physical port is a physical slot on a computer or network device that another device or cable can be plugged
into.

A logical port is a numerical identifier that is mapped to a particular protocol to tell a receiving computer what
service is trying to be used.

Socket - A combination of a port and IP address.

Port Groupings are as follows:

• Well-known ports (0–1023) Several well-known ports are generally used for specific protocols that are part
of the TCP/IP suite of protocols, such as HTTP (80), HTTPS (443), DNS (53), SMTP (25) and more.

• Registered ports (1024–49151) Registered ports range from 1024 to 49151. These are ports that can be
registered with IANA for a specific purpose. Vendors sometimes register a port for their proprietary software.

• Dynamic/private/ephemeral ports (49152–65535) Dynamic/private ports range from 49152 to 65535.

These are ports are not assigned by IANA and are used by applications as needed for customer services or
ephemeral ports. Ephemeral ports are only used for a brief period of time as part of a communication session.
 Network Segmentation
Network subnetting allows organizations to logically segment parts of their network by
dividing larger IP ranges into smaller network segments. Hosts on the network are only able to
communicate with other hosts that share the same network portion of the IP address (network
ID).
Network segmentation is a network design technique that can allow organizations to logically
group certain devices (such as the IT team, sales team, etc.). It can also be used to increase
security by segmenting different parts of the network that may post different risks (such as
segmenting the wireless network from the wired network).

How do we accomplish Network segmentation in a

local area network?
 Network Threats & Attacks
General steps that a cyber criminal carries out during a typical cyber attack. They are:
1. Conduct research
2. Identify targets
3. Exploit targets
4. Do bad things
 Conducting Research
What is the cyber attackers ultimate goal? Are they after credit card data? Are they seeking to
embarrass someone? Do they want to steal trade secrets?

With the goal in mind, cyber criminals, like any criminal, also each have their own modus
operandi (MO), or preferred method of working.

Not all cyberattacks are targeted ones. Sometimes the hacker doesn’t care who the victim is.
Instead, they launch attacks at random targets and see what they get.
 Identifying Targets
During this phase, the cyber attacker pieces together the various bits of information collected in
the previous phase. The next step is to run scans against those assets to reveal information
about them.
There are three components of scanning:
• Network scanning: This seeks to enumerate (identify and list) what systems are within a
targeted range of IP addresses, identifying their IP address, operating system type, and version.

• Port scanning: This looks at the systems found during network scanning to reveal what ports
are open and therefore what services are running on them.

• Vulnerability scanning: This examines systems to reveal and enumerate known

vulnerabilities in the operating systems and applications on the devices.

What do we look for in vulnerability scans?

 Exploiting Targets
During the exploiting targets step of a cyberattack, the attacker takes advantage of vulnerabilities
in systems or networks to gain unauthorized access. There are many types of exploits; some
common categories of them include:
• Attacks using malicious software
• Attacks using scripts
• Attacks using social engineering
• Password attacks
• Man-in-the-middle attacks
• Physical attacks

What are rootkits, are they malicious?

 Doing Bad Things
Some of the cyber attackers objectives and some of the bad things they do during a
cyberattack, including:
• Data exfiltration
• Extortion
• Denial of service
• Advanced persistent threat

What is the main goal of an APT?

 Network Defenses
Firewall:

A firewall is a network device used to control access between two networks or two segments of a network. The
firewall permits certain kinds of traffic to flow through it while preventing other kinds of traffic.

Three general types of firewalls exist: packet filter, proxy, and stateful/dynamic packet filter, which are sometimes
referred to as firewall generations 1, 2, and 3, respectively

Packet Filter

Packet filters are the most basic and least expensive type of firewall. A packet filter is a kind of router. It screens
all traffic and makes decisions as to whether to allow or deny traffic to pass from one of its interfaces to another
based on the header information of each message. The firewall contains an access control list (ACL) which is
configured by the organization. The ACL contains the rules upon which the firewall allows or denies what traffic
can flow. The ACL contains information including:

• Source and destination IP addresses; Source and destination port numbers; Protocol; Direction
of traffic (ingress and egress)
 Network Defenses
Proxy

Proxy firewalls do not allow direct communication between the networks they are installed between. The proxy
hides the IP address of the devices within the network it is protecting. The proxy intercepts and repackages all
traffic, applies a security policy, and prevents direct connections between the two networks. This makes it
harder for cyber criminals to discover information about what is on the other side of the proxy.

Stateful/Dynamic Packet Filter

Instead of just using an ACL, they take into account the nature of the communication that is taking place to make
decisions about what connections to allow or deny. They do this by examining the messages going back and
forth and keeping track of what they previously learned about a conversation.

They make access decisions based on the following information:

• IP address; Protocols and commands; Historical comparisons with previous packets; The
content of packets.

A stateful firewall monitors the state of network conversations and allows packets to flow through the firewall only
if they are part of existing authorized conversations.
 Network Security Architecture
Organizations group the network into segments or security zones for which rules can be defined and access
controlled. One specific type of security zone is called a demilitarized zone (DMZ). Other architectural security
controls are virtual private networks (VPNs) and network access controls (NACs).

Network Segmentation

Network segmentation is a network design approach that allows organizations to group portions of the network
into segments, each acting like a small network.

Security benefits of Network Segmentation:

● Improved Security
● Better Access Control
● Improved Monitoring
● Improved Performance
● Better Containment
 Network Segmentation
Physical segmentation is a process of splitting a larger network into smaller physical components These
segments can communicate via intermediary devices such as switches, hubs, or routers Physical network
segmentation can be an easy approach to divide a network, but it is expensive as it occupies more space
 Network Segmentation
Logical segmentation utilizes VLANs, which are isolated logically without considering the physical locations of
devices. Each VLAN is considered an independent logical unit, and the devices within a VLAN communicate as
though they are in their own isolated network. In this approach, firewalls are shared, and switches handle the
VLAN infrastructure It is easier to implement and flexible to operate.
 Network Segmentation
Micro-segmentation takes the concept of isolating network segments and controlling who has access to what
one step further: by doing it at the application level. With micro-segmentation, anything on the network, any
device or any application, can be its own segment. That means access can be controlled for any device or
application.

To effectively implement micro-segmentation requires software-defined networking (SDN). An SDN is a

dynamic approach to computer networking intended to allow administrators to get around the static limitations
of physical architecture associated with traditional networks. The goal of SDN is to not only add dynamic
capabilities to the network but to also reduce IT costs through implementation of cloud architectures.

SDN therefore provides better and more granular control and management of the network. SDNs provide
greater ability to automate, provision, control, and troubleshoot the network.
 Network Segmentation
Demilitarised Zones - DMZ/Screened Subnet

One specific implementation of network segmentation is a DMZ. A DMZ is a network segment that is positioned
in between the organization’s connection to the Internet and their internal networks.

The purpose of the DMZ is to create a buffer zone between the organization’s internal network and the outside
world. The DMZ is bordered by two firewalls. Organizations usually place their e-mail, web, and DNS servers in
the DMZ, as these servers require access to the Internet.
Virtual Private Networks

A VPN is a secure connection to a private network through a public network such as the Internet. The
connection is encrypted and secured virtually, extending the organization’s private network to authorized users
outside of it.
VPNs use tunneling technology that provides an encrypted channel through an untrusted network from the
user’s system to the VPN server. VPNs use tunneling protocols to protect the data and manage the connection.

Older protocols include Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP);
however, the de facto standard protocol for VPNs is IP Security (IPSec), which is a suite of protocols that
provides data integrity, authentication, and confidentiality.

An alternate and popular use of VPNs for home users is as a safer way to use the Internet. In this method,
instead of the VPN server providing a connection to a trusted network, it provides another connection to the
Internet. With this approach the VPN server acts as a proxy, hiding the user from a direct connection to Internet
resources. VPNs have become a popular option for home users because it allows them to use the Internet
safely and anonymously using an encrypted tunnel to the VPN server while hiding their IP address from Internet
traffic.
Network Access Control
NAC is a technology that allows organizations to implement controls that limit what devices can connect to their
network.

For example, if you want to connect to a corporate network that is configured for NAC, the network will not allow
your computer to connect until it first checks your computer to see if it meets certain criteria based on a policy.
The policy may say that only computers that have specific configuration settings or have antivirus software
installed or have up-to-date patches installed can connect to the network. This helps keep the network free of
devices that could introduce threats into the environment such as malware, hidden scripts, or software that is
otherwise not permitted on the network.
E-mail and Web Application Filtering

There are many specialized security appliances and services available used to defend
networks. Two of the most popular are e-mail and web application filters. Either can be
implemented as appliances, software running on a computer, or as services offered by vendors.

E-mail filters examine an organization’s inbound and outbound e-mail traffic looking for
evidence of phishing, spam, malware, suspicious links, disallowed attachments, and other
threats.

If a malicious e-mail is discovered, the filter blocks or quarantines the e-mail and automatically
deletes it or requires it to be manually inspected depending on how the filter is configured. Web
filters act as web firewalls. They monitor traffic between web applications and the Internet
based on a set of rules configurable by the organization to permit benign traffic while preventing
malicious traffic.
IDS and IPS

Both deploy sensors throughout the network that communicate with a centralized control or reporting system.
The centralized system allows the security staff to view indicators of malicious activity and take measures to
prevent security breaches.

IDS and IPS differ in that an IDS merely detects and reports on potential malicious activity, whereas an IPS not
only detects and reports but also automatically takes defensive action in response to what it sees, such as
blocking certain types of traffic.

A network-based IDS/IPS (NIDS) uses sensors deployed throughout the network in the form of specialized
appliances or computers running specialized NIDS software. A host-based IDS/IPS (HIDS) uses software
(called agents) installed on host computers that monitor for, and detect, malicious activity on the host. HIDS
agents look for host- or OS-specific activities that malware or cyber criminals are known to perform, such as
running processes, registry changes, file alteration, and so on. Whether network or host based, several
detection methods are employed by IDSs/IPSs.
Modern IDS/IPS products usually take advantage of more than one of these methods:

• Signature-based IDS/IPSs look for specific patterns in traffic, specific messages, or specific files on systems. These specific
patterns are called signatures. Usually IDS/IPS product vendors use a threat intelligence subscription service whereby the
products continually learn about new attacks and what kinds of signatures would be indicative of their presence. New signatures
are downloaded to the IDS/IPS products so they are continuously monitoring for and able to detect the latest attacks.
Signature-based IDSs are good at detecting already known attacks but not as good at detecting new kinds of attacks.

• Anomaly-based IDSs/IPSs are better at detecting unknown attacks. Whereas a signature-based IDS/IPS is good at knowing
“what bad looks like,” an anomaly-based IDS is good at knowing “what good looks like.” An anomaly-based IDS/IPS uses
statistical techniques such as artificial intelligence and machine learning to build a picture of what normal activity looks like on the
network or system. Then if the IDS/IPS sees activity that deviates from the norm, it passes an alert to indicate the activity should be
investigated. Anomaly-based IDSs are good at detecting previously unknown attacks for which signatures may not exist.

Whereas IDS and IPS products use the same technology and methods to detect potentially malicious activity, the difference lies in
what each one does about that activity. An IPS goes beyond mere detection and reporting by automatically taking action to try to
stop the attack or minimize its impact. Some of the actions an IPS may take include blocking traffic from a particular IP address,
turning off a port on a firewall, resetting a device such as a router, or even changing data to remove or replace malicious messages
or files.
Antivirus

It protects the device on which it is installed against attacks from viruses. Most antivirus products detect and remove
many types of malware and in addition protect computers against other threats, including spam and phishing attacks.

Most antivirus software works by looking for patterns of behavior that match similar patterns, or signatures, stored in its
database of known malware. However, antivirus software also uses machine learning and heuristics to detect variations
in known malware behaviors. Since the threat environment is ever-changing antivirus software must be kept up to date.

Zero-day attacks are particularly troublesome because specific defenses against them are not yet in place. The term
zero-day applies to the following:

• Zero-day vulnerabilities: A recently discovered security vulnerability in a product, operating system, or application
that is unknown to the vendor or for which there is no available fix or patch.

• Zero-day exploits: A recently discovered exploit such as malware that is unknown to countermeasure organizations
(e.g., malware unknown to antivirus software vendors).

• Zero-day attacks: Any attack that takes advantage of zero-day vulnerabilities and/or zero-day exploits.
Internet of Things - IoT

Is a general term that refers to many different kinds of physical devices that connect to the Internet or IP networks. IoT
devices are sometimes called smart devices because they frequently contain processing capability, often in
combination with sensors, robotics, and automation technology.

IoT devices are used in home automation, manufacturing and associated control systems, medical and healthcare,
infrastructure and power control systems, environmental monitoring, military communications and weapons systems,
and many other applications. Any device that has an IP connection is an IoT device.

IoT devices present unique security issues because security is not typically built into these devices.

Security flaws abound in IoT. Here are a few examples:

• Security vulnerabilities
• Poor authentication
• Lack of security features on the interface
• Physical access
Network Infrastructure

The two main types of infrastructure models include

• On-premises infrastructure
• Cloud infrastructure
The main difference between an on-premises infrastructure and cloud infrastructure lies in how the service is
provisioned, managed, and utilized.

Considerations for On-premises infrastructure

Staffing Models
Datacenter personnel are either hired directly by the organization as in-house employees (known as insourcing) or the
organization may hire a third-party provider (known as outsourcing).

Datacenter Environmental Protection

When operating a datacenter, it is important to have systems in place to manage and control the environment to
manage temperature, humidity, and so on. This impacts the design and implementation of systems such as heating,
ventilation, and air conditioning and fire detection and suppression systems.
HVAC
It is important that the datacenter temperature and humidity levels are maintained at proper levels. Servers and other
computer equipment generate a lot of heat and are sensitive to heat. If the equipment gets too hot, it can overheat and
shut off.
Similarly with humidity, high humidity can cause computer components to corrode, and low humidity can introduce
static electricity.

Fire Detection and Suppression

Fires can happen from things like electrical failures, ignition of combustible materials, personnel carelessness, or even
arson. Organizations must ensure that proper systems are in place to detect and suppress fires if they occur. Fire
detectors typically operate by detecting heat, smoke, or flame. Upon detection, the system deploys suppression agents
(such as water or other gas agents). Gaseous systems are typically preferable for datacenters because they are the
least destructive to the equipment (servers, network equipment, etc.) but are also generally more expensive
Datacenter System Redundancy
The redundancy of datacenter supply systems is critical to maintaining the continuity of ongoing operations. This
includes having alternate and backup power supply systems as well as the appropriate contracts with vendors and
suppliers in place (such as service level agreements) to ensure components can be replaced and services restored
within an appropriate timeframe in the event of an outage or disaster. Organizations must consider things like
connectivity between systems, hardware replacement, alternate power supply, alternate facilities, and so on.
Backup

There are many types of backup that you can choose from, and the difference between the methods lies in how each
method handles a property of each file called the archive bit. This is a bit that is used to communicate to the backup
system whether a particular file has changed since the last backup. When the archive bit is cleared (0), it
communicates that the file has been backed up already and has not changed since. When the bit is on (1), it
communicates that the file has had changes since the last backup and should be backed up again.

Full Backup With a full or normal backup, all data is backed up. During the full backup, the current status of the
archive bit is ignored, everything is backed up, and the archive bit for each file is cleared. A full backup takes the
longest time and the most space to complete.

Incremental In an incremental backup, all files that have been changed since the last full or incremental backup will be
backed up. During the incremental backup process, the archive bit for each file is cleared. An incremental backup
usually takes the least amount of time and space to complete.

Differential In a differential backup, all files that have been changed since the last full backup will be backed up.
During the differential backup process, the archive bit for each file is not cleared.
Attacks

Buffer Overflows: When a program is expecting input, either from another program or from a user
entering text into a field, it stores the data in a buffer, or area of memory. The program usually
expects the data to be of a certain size and therefore creates a buffer of the correct size to accept the
expected data. If the data received is greater in size than the size of the buffer, the extra data
overflows into other buffers or areas of memory, which can cause erroneous operation.

Cross-Site Scripting: Cross-site scripting (XSS) is a type of attack whereby the attacker injects a
malicious script into a website that is trusted by the intended victim(s) of the attack. Then, when the
unsuspecting victim visits the site, the script is executed by the victim’s browser.

SQL Injection: Sometimes when a user visits a website and enters data into a form or web page, the
data is sent by the web server to a database such as one that uses Structured Query Language
(SQL).
Attacks

Timing and Race Conditions: A timing attack, also called a race condition attack, is an entire family
of attacks in which the attacker takes advantage of the time between a sequence of events. One
example is a time of check/time of use (TOC/TOU) attack. This occurs when the system checks to
see if a specific file exists for a later operation. In this case the attacker replaces that file with a
malicious one in between the time of the check and the time the file is used.

Brute force attack: Attempts to guess a password by systematically trying out every possible
combination of characters. It is slow and computationally intensive and can guess passwords of any
length.

Dictionary attack: Attempts to guess a password by systematically trying out every possible word in
a dictionary. It is fast but limited by the words in the dictionary.
Rainbow tables: Using a dictionary to create a list of hashes takes time and processing power. For efficiency,
hackers do this ahead of time and store the results in what are called rainbow tables. They are simply stores of
password and hash combinations that have already been computed that hackers can use to compare against
captured password hash databases. Hackers buy and sell rainbow tables to help each other in their malicious
activities.

A rainbow table attack seeks to mitigate the limitations of dictionary or brute force attacks by precomputing
the hash of passwords and storing them for later comparison.

A salt is random data fed as an additional input to a one-way function that hashes data, a password or
passphrase. Salting helps defend against attacks that use precomputed tables (e.g. rainbow tables), by vastly
growing the size of table needed for a successful attack.

On-Path Attack: In an on-path attack (previously known as a man-in-the-middle attack), the intruder places
himself between the sending and receiving devices and captures the communication as it passes by. The
interception of the data is invisible to those sending and receiving the data. The intruder can capture the
network data and manipulate it, change it, examine it, and then send it on.
Side Channel Attack
is a security exploit that attempts to extract secrets from a chip or a system. This can be achieved by
measuring or analyzing various physical parameters. Examples include supply current, execution time, and
electromagnetic emission. These attacks pose a serious threat to modules that integrate cryptographic
systems.
Timing attacks/race conditions are an example of a side-channel attack where the attacker measures precisely
how long cryptographic operations take to complete, gaining information about the cryptographic process that
may be used to undermine its security.
Application Scanning
Application scanning tools are commonly used as part of the software development process. These

tools analyze custom-developed software to identify common security vulnerabilities. Application

testing occurs using the following three software testing techniques:

● Static testing analyzes code without executing it. This approach points developers directly to

vulnerabilities and often provides specific remediation suggestions.

● Dynamic testing executes code as part of the test, running all the interfaces that the code

exposes to the user with a variety of inputs, searching for vulnerabilities.

● Interactive testing combines static and dynamic testing, analyzing the source code while

testers interact with the application through exposed interfaces.

 Classification Errors
Two types of classification errors are caused by these systems, and monitoring those errors is an important part of
security analytics.
False positive errors
Occur when the system alerts administrators to an attack but the attack does not actually exist.
False negative errors
Occur when an attack actually takes place but the system does not notice it.