Data & Network Security

Chapter 6 - Network Securing

Outline
6.1 Introduction Network securing
6.2 Use of cryptography for data and network security
6.3 Architectures for secure networks
6.3.1 Secure channels
6.3.2 Secure routing protocols
6.3.3 Secure DNS.
6.4 Defence mechanisms and countermeasures:
6.4.1 Network monitoring
6.4.2 Intrusion detection
6.4.3 Firewalls
6.4.4 Spoofing and DoS protection
6.4.5 Honeypots
6.4.6 Tacebacks
Learning Outcome
At the end of this chapter the students able to
• Understand the Network securing factors and needs.
• Understand the use of cryptography for data and
network security.
• Analyses the devices that suitable to use for any
related network design .
• Apply any mechanism to defence the network.
Introduction
• The network is the entry point to your application.
• provides the first gatekeepers that control access to the
various servers in your environment.
• Servers are protected with their own operating system
gatekeepers, but it is important not to allow them to be
deluged with attacks from the network layer.
• In a nutshell, network security involves protecting network
devices and the data that they forward.
• The basic components of a network - the router, the firewall,
and the switch.
Basic Network Component
Use of cryptography for data and network security
• Protocol for secure Communication
– Secure HTTP (S-HTTP) – provides for the
encryption of protected Web pages transmitted
via the Internet between a client and server.
– Secure Socket Layer (SSL) – use public key
encryption to secure a channel over the Internet
(Internet Browser)
How HTTPS Work
How SSL Work
Architectures for secure networks
• many factors must be considered to have secure
network. The factors are:
– topology and placement of hosts within the
network
– the selection of hardware and software
technologies
– and the careful configuration of each component
Architectures for secure networks
• some of the typical challenges faced by the network designer include
the following: ·
– Securing the network from Internet launched attacks
– Securing Internet facing web, DNS and mail servers
– Containing damage from compromised systems, and preventing
internally launched attacks
– Securing sensitive and mission critical internal resources such
financial records, customer databases, trade secrets, etc.
– Building a framework for administrators to securely manage the
network
– Providing systems for logging and intrusion detection
Secure channels
• Channel is a way of communicating with people or getting something done.
• Secure Channel” can be defined as a way which authenticates the requester
and also provide confidentiality and integrity of data sent across the way.
• Windows Active Directory environments, secure channel provides an
encrypted way of communication between clients and domain controllers
• there are three types of secure channels:
– communication between clients in a domain and domain controllers,
– responsible to establish a secure communication between domain
controllers of a source domain and domain controllers of a trusted
domain
– responsible for establishing a secure path between domain controllers
in the same domain.
• [Link]
[Link]
Routing Protocol
• very network routing protocol performs three basic functions:
– discovery - identify other routers on the network
– route management - keep track of all the possible destinations
(for network messages) along with some data describing the
pathway of each
– path determination - make dynamic decisions for where to send
each network message
• Some of Secure Route Protocol
– [Link]
Security/Baseline_Security/securebasebook/sec_chap3.html
Secure DNS
• The Domain Name System (DNS) is used every time
surf the Web.

Type a site
DNS
name into Change content
queried IP
the into IP will display
Address
browser

• The process of converting the domain name to its IP

address is called domain-name resolution.
domain-name resolution
Today DNS Offer by Provider
• Content filtering. This can be conveniently implemented to block adult
sites and other unwanted content, while requiring no software on the
computers and devices.
• Malware and phishing blocking. This can be performed by the content
filtering tool also, to block sites containing viruses, scams and other
dangerous content.
• Protection against botnets. This blocks communication with known
botnet servers so your computer isn't taken over.
• Advertisement blocking. This is another type of content filtering, which
some DNS services specifically concentrate on.
• URL typo correction. For instance, if you typed [Link] it would
correct to [Link] .
Defence mechanisms and countermeasures
• Many organizations struggle to design and implement adequate
network infrastructures to optimize network security
monitoring.
• The challenge - often leads to data loss with regards to
monitored traffic and security events, increased cost in new
hardware and technology needed to address monitoring gaps,
and additional Information Security personnel to keep up with
the overwhelming number of security alerts.
• Organizations spend a lot of time, effort, and money deploying
the latest and greatest tools without ever addressing the
fundamental problem of adequate network security design.
Network Monitoring
• Network monitoring is a process to monitor the network.
To ensure the network is well monitored, the visibility of
the network architecture need to be considered
• The visibility should be do for:
– Logical Network Security Segmentation
– Security Event Logging

• Refer Paper provided in kalam - Infrastructure Security

Architecture for Effective Security Monitoring.
Logical Network Security Segmentation
• A network segment, also known as a network security zone,
is a logical grouping of information systems in an enterprise
network.
• A network security zone has a well-defined perimeter and
strict boundary protection.
• The zone is created based on different security requirements.
• Network segmentation is part of a defense-in-depth strategy
with the following goals; Limit the scope of regulatory
compliance, Reduce data exfiltration, Reduce attack surface,
Compartmentalize systems, Increase availability
Logical Network Security Segmentation: Network
Security Zones
• Internet Zone - No Trust
• External DMZ - Low Trust
• Enterprise Zone - Medium Trust
• Extranet Zone - Medium Trust
• Internal DMZ - High Trust
• Management Zone - Highest
Trust
• Restricted Zone - Highest Trust
Logical Network Security Segmentation: Rules of Communication
Security Event Logging
• A log is a record of events occurring in a computer system
or network that triggers a notification, adding it to a local
system file or forwarding it to a centralized log
management infrastructure for further processing and
analysis
• is a prime resource for troubleshooting and supporting
business goals.
• Log management is the process of generating, gathering,
transmitting, storing, analyzing, and disposing of event
logs from disparate sources.
What to Log
• Logs can be categorized as follows
– Security logs
– Operating system logs
– Application logs
• In security log a minimum, an organization should be collecting as
following categories systems:
– Host-based protection software, Intrusion detection and
prevention systems (IDS/IPS), VPN or remote access systems,
Web proxy servers, Vulnerability management software,
Authentication servers, Routers and layer 3 switches that
contain access control lists, Firewalls,
What to Log
• Operating system logs assist in the investigation of
suspicious activities around a particular system.
• OS log - An audit log records both, successful and
failed login attempts, account modifications, file
access attempts, use of privileges, and security policy
changes.
• Application logs - generate log files and support
network protocols such as SYSLOG or SNMP to
transfer the logs to a centralized log collector
Log Management Architecture
• In this course will discuss three tiers log management.
• Tier I: Log generation
– includes the systems, networks, and applications that
generate log data.
• Tier II: Log analysis and storage
– Consists of the log servers, also known as log collectors,
which receive the log data from Tier I.
• Tier III: Log monitoring
– Includes administrative consoles used to monitor and
review the log data.
Baseline log management architecture
Intrusion detection & Intrusion Prevention
• Intrusion Detection Systems (IDS) inspect network traffic to
identify signs of malicious activity and policy violations,
enabling organizations to respond before a threat actor
causes significant harm to IT systems.
• Intrusion Prevention Systems (IPS) have the same
capabilities of IDS but go a step further by attempting to
react to a detected threat to prevent it from being
successful
• The IDS/IPS infrastructure will discuss into two type; Intra-
Zone and Inter-Zone
 Intrusion detection & Intrusion Prevention – Requirement

• Sensor
– IDS and IPS sensors that monitor and analyze network activity.
• Management server
– Centralized hardware or software product that receives information from
all the sensors on the network and performs data analysis. It provides a
centralized point of access for all security events detected by the sensors,
correlates these events and provides reporting capabilities.
• Database server
– Stores the security events.
• Console
– Interface used by security analysts to administer the sensors, apply
software updates, and monitor and analyze security events.
 Intrusion detection & Intrusion Prevention – Requirement

• Spanning port
– A spanning port makes a copy of all the traffic traversing specific
switch ports or VLANs and sends it to the sensor.
– A spanning configuration is the easiest and cheapest way of getting
the traffic to the sensors
– it has many limitations:
• Switches have a limited number of SPAN ports, typically two.
• Reconfigurations of the spanning port can cause the sensors to stop
capturing and monitoring critical traffic.
• Increase data loss due to an oversubscribed spanning port or overloaded
switch backplane.
• do not guarantee 100% view of network traffic.
Intrusion detection & Intrusion Prevention – Requirement

• Network TAP
– A network tap deployed inline between the sensor and the
network itself decreases the risk of dropped packets by
using the existing signals to reconstruct the traffic flows.
– A network tap is a scalable solution when multiple
monitoring tools are required to capture the same traffic;
– The monitoring tools can be connected directly to the
network tap without impacting network traffic.
– The tap must fail-open in the event of power loss or
malfunction.
Intrusion detection & Intrusion Prevention – Requirement

• IDS Load balancer

– An IDS load balancer is a passive device that
aggregates and distributes the traffic received
from a spanning port or TAP traffic across multiple
sensors.
– When the output rate of monitored traffic exceeds
the throughput of a single sensor, an IDS load
balancer can be used to decrease the number of
dropped packets and increase visibility.
IDS – IPS ZONE
• Intra Zone
– detect lateral movement between systems inside the
zone, fraudulent activities executed by end-users
exploiting existing trust relationship between systems,
or a worm outbreak.
• Inter Zone
– detect malicious traffic that may have gotten passed
the zone's perimeter firewall.
– the sensor can act as an auditing device to ensure that
the firewall's security policies are working as intended.
Intra-Zone: Using Spanning Port
Intra-Zone: Using Spanning Port and SPAN TAP
Intra-Zone: IDS load Balancer
Inter-Zone – IDS using Network TAP
Inter-Zone – IPS
Firewalls
• The role of the firewall is to block all unnecessary
ports and to allow traffic only from known ports.
• must be capable of monitoring incoming requests to
prevent known attacks from reaching the Web server.
• Intrusion detection + firewall is a useful tool for
preventing attacks and detecting intrusion attempts,
or in worst-case scenarios, the source of an attack.
• should exist anywhere you interact with an untrusted
network, especially the Internet
Firewall configuration
• The configuration categories for the firewall include:
– Patches and updates
– Filters
– Auditing and logging
– Perimeter networks
– Intrusion detection
References
Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S.,
Escamilla, R., & Murukan, A. (2003). Securing Your
Network.
Luciana Obregon. (2016), Infrastructure Security
Architecture for Effective Security Monitoring
William Stallings. (2017). Network Security Essential.