Network Technologies and Tools

Install and configure network components, both hardware and software-based, to support organizational security.

  • Firewall / UTM
  • NIDS / NIPS
  • VPN Concentrator

Firewalls

  • Isolate one network from another
  • A network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules (Cisco)
  • Hardware (appliances), software or both
  • Network or host-based

Firewall Types

  • Packet filter
    • Passes or blocks traffic to specific ports or IP addresses based on rules
    • Access Control List (ACL) filter
    • Little intelligence / stateless
    • Faster than stateful inspection
  • Proxy firewall
    • Acts as an intermediary
    • Application Proxy
    • Web Proxy
  • Stateful packet inspection
    • Intelligent
    • Analyzes data flows and traffic patterns
    • Dynamic access control decisions
    • Records are kept using a state table that tracks every communications channel;
    • Remembers where the packet came from and where the next one should come from.

Firewall Rules

  • Configured to specify computers, programs, services, or ports or protocols
  • Order of firewall rules matters
  • Implicit deny
    • Access or resource availability is restricted to only those that are explicitly granted access; all others are denied
    • Deny any any <- last firewall or ACL rule

Application Firewalls

  • Controls input, output, and/or access from, to, or by an application or service based on categories, rules, or heuristics.
  • Deep packet inspection
  • Function at Layer 7 of the OSI model
  • Web Application Firewall (WAF)
    • Protects web applications from known attacks (Injection, Buffer Overflows, etc-)
  • Often included in other firewall types (Proxy, IDS/IPS)

IDS/IPS

  • Intrusion — any activity or action that attempts to undermine or compromise the confidentiality, integrity, or availability of resources
  • Intrusion Detection / Protection Systems
  • Like a burglar alarm — Identify unauthorized activity, access or anomalies
  • Sensor— the IDS component that collects data from the data source and passes it to the analyzer
  • Host-based — On individual systems
  • Network-based — On the network borders

IDS vs IPS – Detection vs Protection

  • Passive response
    • Logging
    • Notification
    • Shunning/Quarantine
  • Active response
    • Terminating process or sessions
    • Configuration changes
    • Deception active response – Attacker believes the attack is succeeding while the system monitors the activity and potentially redirects the attacker to a honeypot or logging system

IDS/IPS – where to use?

  • Signature based (aka knowledge-based)
    • Detects known vulnerabilities
    • Rules/updates provided by vendor
    • Reactive
  • Behavior-based
    • Outside of normal bounds / establish profile
    • Anomaly-based
    • Potential for false positives
  • Heuristic-based
    • Uses algorithms to analyze the activity / network traffic
    • High initial overhead

IDS/IPS Analytics

False Positive — Occurs when a typical or expected behavior is identified as irregular or malicious

False Negative — Occurs when an alert that should have been generated did not happened

VPN Concentrators

  • A virtual private network (VPN) allows remote access into a network
    • Site-to-Site
    • User (host-to-site)
  • VPN concentrator
    • Single device to funnel all VPN access / Connects VPN nodes
    • Encrypted tunnels
    • Centralized authentication (RADIUS, Kerberos, Federated ID)
  • Always-on VPN
  • Network security through encryption
    • Internet Protocol Security (IPsec)
    • Secure Sockets Layer (SSL)

Internet Protocol Security (IPsec) VPN

  • Provides authentication services and encapsulation of data through support of the Internet Key Exchange (IKE) protocol
  • Functions within the IP / Network layer (layer 3)
  • Three Services:
    • Data verification
    • Data tampering protection
    • Private transactions
  • Two separate (mutually exclusive) protocols
    • Authentication Header (AH) – authentication and integrity checking for data packets
    • Encapsulating Security Payload (ESP) — encryption services

SSL/TLS VPN

  • SSL (Secure Sockets Layer) / TLS (Transport Layer Security)
  • Note: TLS replaces SSL
  • Known as a WebVPN — remote access through a website over SSL/TLS
  • Point-to-point encrypted communications

VPN Tunneling

Full tunnel — all requests are routed and encrypted through the VPN. More secure

Split tunnel — only some (usually all incoming requests) are routed and encrypted over the VPN

Unified Threat Management (UTM) & Next Generation Firewall (NGFW)

  • An All-in-one firewall appliance / Single interface I Single vendor
  • Network IDS/IPS
  • URL filtering
    • Block websites based on category or URL
  • Content inspection
    • Application aware
  • Malware inspection

Leave a comment

Your email address will not be published. Required fields are marked *