Chapter 5

TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

Network Security

1
 Chapter outline
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

» Designing secure network

» Antivirus
» Implementing security in firewall
» Implementing security in IPS/IDS
» Monitoring incidents and providing response

2
 Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Network security : A practice of protecting computer networks from unauthorized

access, use, disclosure, disruption, modification, or destruction.
» It involves implementing a variety of technical and organizational measures to
safeguard the confidentiality, integrity, and availability of network data and
resources.
» Best practice for network security:
o Implement a layered security approach
o Regularly update software and firmware
o Monitor network traffic and activity
o Educate users on security best practices
o Conduct regular security assessments (Identify areas for improvement)
3
 Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Secure network design : A truly secure network design allows you to effectively
manage your client networks with a layered security approach.
» In general, while designing a secure network you should focus on:
» Physical security: You might not chart physical security on a technical diagram,
but physical security policy needs to be as specific as possible and
communicated broadly especially when the policy changes.
» Technologies that enhance physical security include premium locks, fingerprint
reading devices, PIN pads, and retinal scanners should be taken carefully.
» Management need to be advised that the company should focus on purchasing
quality devices to enhance physical security.

4
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Secure network design :…

» Get into VLANS with subnets and QoS:
o VLAN (Virtual Local Area Network): Refers to the splitting off of devices in
your clients’ network infrastructure logically, while keeping them
unchanged physically.
o VLANs can reduce the overhead of the network, make administration
easier, and improve security.
o Quality of Service (QoS): This is important not just for security but for
delivering fast and quality service to users.

5
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Secure network design :…

» Get into VLANS with subnets and QoS:
o Add subnets: Any network that has just one subnet in which a device is
compromised, has all devices compromised.
o Subnets break the network into more places in which you can secure using
packet filters or complete use of firewalls.
o You can shut down access from that subnet to the rest of the network, for
example, to prevent a virus or hacker from spreading and intrusions into
subnets are going to be more isolated and easier to troubleshoot.
o It is generally a good idea to have your most sensitive data, that from the
HR and finance departments, on their own networks which gives you far
more control on machines with critical data. 6
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Secure network design :…

» Add more and better firewalls: They give the “thumbs up” or “thumbs down”
sign to traffic based on preset parameters.
» Firewalls should not be used just for perimeters that they should wall off any
critical data in the network, even a single server.
» Use the DMZ (Demilitarized zone): It is a sub network that exposes a
company’s external-facing offerings to a larger, less trusted network (typically
the internet).
» By isolating these systems, you’re reducing the number of the overall assets or
services that need to be managed securely.
» This can substantially lighten your administrative load and enhance security
7
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Secure network design :…

» Design for hierarchy: The prototype for network hierarchy is the three-layer
model. It has been adopted industry wide as a model for being reliable,
scalable, and cost-efficient.
o Core
o Distribution
o Access
» This allows for data to take a direct path to a particular layer, which improves
efficiency and adds another layer of security.

8
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Secure network design :

» Add port security: Port security is a capability in most switches that gives a
device permission to use that switch.
» When the switch flags a violation, it can automatically shut down by disabling
that port to further network access.
» Port security allows limiting both number and type of devices that are allowed
on the individual switch ports.

9
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Secure network design :…

» Evaluate wireless: Smart phones, tablets, and mobile POS (point of sale)
devices have overtaken previous fixed wire technologies, yet have brought a
new level of vulnerability to organizations deploying them.
» Depending on the size and scope of your wireless network, you may decide to
pursue the following:
o Strategy plan for overall wireless security
o Risk/compliance plan to help you manage risk regulatory requirements
o Threat management investigation including wireless security assessment
o Incident management plan, detailing how you’ll respond to incidents
o Architecture evaluation to assess your current plan and draft improvements
o Training and awareness to address the human behavior
o Identity and access management plan so only trusted users can efficiently access services on
10
your network using approved wireless devices.
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Antivirus: Software that is created specifically to help detect, prevent and remove
malware (malicious software) such as viruses.
» Once installed, most antivirus software runs automatically in the background
to provide real-time protection against virus attacks.
» Comprehensive virus protection programs help protect your files and hardware
from malware such as worms, Trojan horses and spyware, and may also offer
additional protection such as customizable firewalls and website blocking.

11
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 How antivirus works: Antivirus software begins operating by checking your

computer programs and files against a database of known types of malware.
» Typically, most programs will use three different detection mechanisms:
» Specific detection: Identifies known malware
» Generic detection: Looks for known parts or types of malware or patterns that
are related by a common codebase.
» Heuristic detection: Which scans for unknown viruses by identifying known
suspicious file structures.
» When the program finds a file that contains a virus, it will usually quarantine it
and/or mark it for deletion, making it inaccessible and removing the risk to
your device.
12
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Best practice for using antivirus:

» Choose a reputable antivirus software: Look for software with good reviews
and a strong reputation.
» Keep your software updated: Regularly update your antivirus to ensure it has
the latest threat definitions.
» Scan regularly: Conduct full system scans to detect any hidden malware
» Be cautious of downloads: Only download files from trusted sources.
» Educate yourself on security best practices: Learn how to recognize and avoid
phishing scams and other online threats.

13
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Implementing security in firewall: Firewalls act as a barrier between your network

and external networks, filtering incoming and outgoing traffic to prevent
unauthorized access.
» Firewalls serve as security devices or software that monitor and control
network traffic based on predetermined security rules.
» They act as gatekeepers, allowing authorized traffic while blocking potentially
malicious activity.

14
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 How firewall works:

» Filtering methods:
o Packet filtering: Analyzes packets (small chunks of data) and accepts or
rejects them based on rules such as IP address, port number, and protocol.
o State full inspection: Keeps track of active connections and ensures that
only valid and requested data is allowed through.
o Proxy service: Acts as a gateway, forwarding requests and reactions
between the user and the Internet, ensuring that direct contact never
occurs.
o Deep packet inspection (DPI): Examines the content of data packets,
allowing or blocking based on the actual content.
15
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 How firewall works:

» Rules and policies: Firewalls work on predefined rules set by network
administrators.
» These rules align with the organization’s security policy to ensure proper
control and logging of network traffic.
» Intrusion detection and prevention systems (IDPS): Some firewalls use
integrated IDPS to detect and prevent known and unknown threats by
analyzing patterns and behavior within network traffic.
» Virtual private network (VPN) support: Firewalls often facilitate VPN
connections, allowing secure communication over untrusted networks.

16
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Advantages and disadvantages of using firewall:

Advantage Disadvantage

o Protection against unauthorized access o Complexity

o Prevention of malware and viruses o Performance issues

o Blocking contents and managing privacy o Cost

o Bandwidth management o False positives/negatives

o Compliance and regulation o Limited protection

o Multi-layer security approach

o Monitoring and logging

17
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Implementing security in IPS/IDS:

» Intrusion detection systems(IDS): It is a system that monitor network traffic and
analyzing it for signs of possible intrusions, such as exploit attempts and incidents
that may be imminent threats to your network.
» It is responsible for identifying attacks and techniques and is often deployed in a
listen-only mode so that it can analyze all traffic and generate intrusion events
from suspect or malicious traffic.
» Intrusion prevention systems(IPS): A system that conduct intrusion detection and
then stop the detected incidents by dropping packets or terminating sessions.
» It is deployed in the path of traffic so that all traffic must pass through it and upon
detection of malicious traffic, the IPS breaks the connection and drops the session
or traffic.
18
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Implementing security in IPS/IDS:

» IDS/IPS identifies those exploit attempts and blocks them before they
successfully compromise any endpoints within the network.
» IDS/IPS monitors all traffic on the network to identify any known malicious
behavior.
» One of the ways in which an attacker will try to compromise a network is by
exploiting vulnerability within a device or within software.
» IDS/IPS is necessary security technology both at network edge and within as it
can stop attackers while they are gathering information about your network

19
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 How IDS works: Three IDS detection methodologies used to detect incidents:
» Signature-based detection: Compares signatures against observed events to
identify possible incidents. This is the simplest detection method because it
compares only the current unit of activity (such as a packet or a log entry to a
list of signatures) using string comparison operations.
» Anomaly-based detection: Compares definitions of what is considered normal
activity with observed events in order to identify significant deviations. This
detection method can be very effective at spotting previously unknown
threats.
» State full protocol analysis: Compares predetermined profiles of generally
accepted definitions for healthy protocol activity for each protocol state
against observed events in order to identify deviations. 20
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 How IPS works: An IPS constantly monitors network traffic for known exploits to
protect the network.
» Then it compares the traffic against existing signatures.
» If a match occurs, the IPS will take one of following three actions:
o Detect and log the traffic
o Detect and block the traffic
o Detect, log, and block the traffic (the recommended option).

21
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Monitoring incidents and providing response: An incident response is a set of

documented procedures detailing the steps that should be taken in each phase of
incident response.
» It should include guidelines for responsibilities, communication plans, and
standardized response protocols.
» Within your plan it is important to use clear language and define any
ambiguous terms.

22
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Monitoring incidents and providing response:…

» There are six phases in preparing incident response and they occur in a cycle
each time an incident occurs.
» Preparation of systems and procedures: This phase involves performing a risk
assessment to determine what vulnerabilities currently exist and prioritize
existing assets.
» This phase is where refining existing policies and procedures or write new one
takes place.

23
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Monitoring incidents and providing response:…

» Identification of threats: Using the tools and procedures determined in the
preparation phase, teams work to detect and identify any suspicious activity.
» When an incident is detected, team members need to work to identify the
nature of the attack, its source, and the goals of the attacker.
» During this phase, after an incident is confirmed, communication plans are also
typically initiated.

24
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Monitoring incidents and providing response:…

» Containment of threats: After an incident is identified, containment methods
are determined and enacted to minimize the amount of damage caused.
o Short term containment: Immediate threats are isolated in place. For
example, the area of your network that an attacker is currently in may be
segmented off or a server that is infected may be taken offline.
o Long term containment: Additional access controls are applied to
unaffected systems. Meanwhile, clean, patched versions of systems and
resources are created and prepared for the recovery phase.

25
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Monitoring incidents and providing response:…

» Elimination of threats: Once teams are aware of all affected systems and
resources, they can begin ejecting attackers and eliminating malware from
systems.
» This phase continues until all traces of the attack are removed. In some cases,
this may require taking systems off-line so assets can be replaced with clean
versions in recovery.
» Recovery and restoration: Teams bring updated replacement systems online.
» Teams must determine when the last clean copy of data was created and
restore from it.

26
 …Designing secure network
TESFAY G/SILASSIE [ M-Tech ] CYBER SECURITY [ IT4204 ] MU-MIT

 Monitoring incidents and providing response:

» Feedback and refinement: This phase includes the lessons learned and teams
reviews what steps were taken during the whole process .
» Members should address what went well, what didn’t, and make suggestions
for future improvements.
» Any incomplete documentation should also be wrapped up in this phase.

27