Network security is a broad term used to describe the protection of all computing resources from availability, confidentiality, and integrity attacks and failures. This involves anti-malware, firewalls, intrusion detection, data loss prevention technology, and other protections.
Network security involves specific protective controls that are added to a network. These controls have evolved over the years and will continue to grow as we learn more about how to defend a network, and as hackers learn new ways to attack.
To ensure that you have the best controls added for protection, it is necessary to first understand the threat landscape and network vulnerabilities. It is also important to understand what types of controls are available so you can apply the correct vendors, solutions, and configurations to your network.
Threats are potential violations that affect resource confidentially, availability, or integrity. Threats can include sensitive data disclosure, data alteration, or even denial of access to a service.
The threat landscape consists of available information about threats, threat actors, and the threat vector that allows an attack to occur. The threat actor is a person or a group of people that intends to cause harm using existing threats.
For example, in the case of a stolen laptop, the threat actor is the thief. The threat vector is the path of the attack such as an unlocked door and a laptop not properly secured to a table.
For a threat to be realized, there must be an exploitable vulnerability. A vulnerability is a weakness or flaw that threat actors can use to violate security policies.
Continuing our laptop example, lightweight design, portability, and convenience are features that attract many customers. At the same time, those same features are weaknesses that increase the likelihood of theft. Security controls such as door locks or cable locks slow down the threat actor and reduce the probability of theft, which decreases the overall risk.
Confidentiality, integrity, and availability (CIA) are the main attributes that define the goal of any information security process. There are many strategies and activities involved in the process, and each falls under one of three phases: prevention, detection, and response.
The pillars of the prevention phase are as follows, and are executed through a well-documented policy:
Detection is about employing capabilities that monitor and log the system’s activity. In the case of a possible breach or malicious activity, the detection systems should notifying the responsible party or person. The detection process is only valuable when followed by a timely, planned response.
Response is a well-planned correction for an incident that covers stopping an ongoing attack, updating a system with the latest patch, or changing the configuration in a firewall.
It is important to understand critical concepts in network security. If you, a good guy, are not aware of vulnerabilities and threat actors, you won’t know the best security controls to put in place. An example is understanding that the identity of the user needs to be verified before accessing the system. This is essential knowledge that enables you to identify the correct vendor and solution.
Access control is a type of security control that almost everyone is familiar with. Most people these days have used a password to log into a computer, possibly as recently as a few minutes ago. You may have used a password to access a network, an application, or a file. The average person has at least 10 passwords to track.
Access control implementation is broken down into four parts: identification, authentication, authorization, and accounting (IAAA). This process confirms the user’s identity through a unique identifier such as a user ID, username, or account number.
The system authenticates the user’s identity by verifying credentials that are known by the user such as username and password. Or they could be in the user’s possession, such as an ID card or a onetime password. After the system verifies a user, authorization is the process of granting access permission.
The final part – accounting – entails tracking user activity to hold those with access accountable for their actions on a system. Passwords are not the only choice today. There are many options, including onetime password generation hardware or software, smart cards, and biometrics. Choosing the correct option for any network resource requires careful consideration.
Network segmentation is dividing a network into smaller logical parts so controls can be added in between. This enhances performance and improves security. Virtual local area networks (VLANs) are a common network segmentation method performed both on-prem or using cloud infrastructure. When used for the cloud, they are called virtual private clouds (VPCs).
Traditional networking within a physical data center had a clearly-defined perimeter. It was the point where the data center had a connection to the outside world. Today, perimeters are harder to define, but we still use a lot of the same technology.
This includes firewalls (FW), intrusion detection systems (IDS), and intrusion prevention systems (IPS). When you define a perimeter, it is necessary to determine what data, voice, and video is allowed to pass. Once you understand what type of traffic should flow, the control mechanisms can be configured accordingly.
Encryption ensures the confidentiality and integrity of data in transit or at rest by converting it into cypher using a key. Symmetric and asymmetric cryptography are the two basic types of encryption.
Ancient Egyptians used symmetric encryption for confidentiality purposes. Today we use the same concept, but employ much more complex algorithms. For example, If you want to keep an online banking session confidential, you would encrypt it with symmetric encryption. To ensure the authenticity of the banking website, you would use asymmetric encryption to securely exchange the keys for that session’s symmetric encryption.
Hashing uses an algorithm to generate a fixed-length string of random characters by converting the original message or data into a short value. This serves as a key to ensure the integrity of that same message or data.
Hashing algorithms are a way to verify the integrity of a communication. It is as simple as reading this sentence. How do you know for sure that this is what was typed in? Has it been changed accidentally or maliciously?
Hashing algorithms are used to prove that the letters, or the bits, have not accidentally been altered. Having the hash protected with encryption helps you to know that a hacker has not maliciously changed the text. Hashing is widely used to store passwords securely, monitor files, and ensure communication integrity.
People, operations, and technology are the main elements that contribute to defense-in-depth network security. Once you identify and assess risks that threaten your business, you can determine your network security needs. This includes the type of technology you need to employ for perimeter security, responses to alerts generated from firewalls, intrusion detection and prevention, and logs. Let's start with firewalls.
Firewalls are a very traditional security measure that have been added to networks and end systems for over 25 years. For a firewall, traffic goes into one of two categories: desirable traffic to pass through, and undesirable traffic to block. Packet filter was one of the first firewalls that filtered out unwanted traffic.
Vendors have found many diverse ways for firewalls to analyze and automatically categorize traffic, leading to different firewall variations. These include the first packet filters, next-generation firewalls, and now cloud-generation firewalls.
Unlike firewalls, an intrusion detection and prevention system (IDPS) monitors the network for malicious activity, reporting and responding to network security incidents and potential threats. A firewall looks for desired traffic and blocks the rest.
An intrusion detection system (IDS) looks for traffic that should not be there. It focuses on finding traffic from a hacker or other nefarious actor. As the technology progressed, someone must have asked a good question: If we know the traffic is from a hacker, why are we just recording it in the log? Why are we not discarding that traffic as soon as it is identified? From there, technology progressed to intrusion prevention systems (IPSs).
An IPS is active in nature. When it realizes that the traffic passing by is from a hacker, it takes an action and destroys that traffic. This sounds like a brilliant plan. In the real world, these systems are complicated to tune properly. If they are not tuned correctly, they discard good traffic and let in hacker traffic. So, most businesses stop at IDS and have logs, a security information event manager (SIEM) , and incident response plans and teams in place.
A virtual private network (VPN) protects the confidentiality of data as it traverses your network. VPN’s core is encryption, although it also uses authentication. There are three encryption options for a VPN, especially for the applications users have on their laptops or phones to connect to the office remotely. The three options are IPSec, SSL/TLS, and SSH. These three encryption protocols are used for other applications as well.
IPSec is an encryption protocol that can be used in about any scenario since it works at layer 3 of the Open System Interconnect (OSI) model from the International Standards Organization (ISO). Layer 3 is the network layer that gets data, voice, or video to its correct network destination. So, if you add IPSec, it will get your data to its destination in an encrypted and confidential format. A common use other than VPNs is for site-to-site connectivity between business locations.
Transport Layer Security (TLS) is the upgrade to SSL. It would have been called SSL 4.0 if its ownership had not transferred from Netscape to the International Engineering Task Force (IETF) in 1999. TLS provides an encryption option for VPNs, but also for any web-based connection. These connections could be a browser-based connection to a bank, Amazon, or any other site that has a lock in the corner of your browser.
Secure Shell (SSH) is primarily used for remote connections from one computer to another. It has commonly been used by network administrators to connect to servers, routers, and switches for administrative purposes. These connections are for configuration and monitoring.
When your company has content, books, manuals, etc. that you wish to share with your customers in a controlled manner, digital rights management (DRM) is the solution. DRM software is familiar to most people with a computer today.
If you watch Netflix or Amazon prime videos or listen to music on Spotify or iTunes, you have seen DRM. If you read a book on Kindle, you cannot randomly share that book with anyone. The Kindle application’s DRM software generally does not allow that, but it depends on the book rights.
If your company is worried that users will send an email that contains sensitive information such as a credit card number to someone outside the company, data leak prevention (DLP) is the solution.
DLP tools watch for traffic that should not leave a business, which would be a leak, and stop that transmission. At least that is the idea. DLP is very difficult to configure properly, but it is worth looking into to protect your company from accidental data leaks.
The most important control to add to all businesses is monitoring. It is important to watch for attacks, threats, breaches, hackers, etc. In security, it is best to assume that your business will get hacked, and that users will make mistakes. Then watch for attacks and be prepared to respond. One of the biggest problems for the average business is that they do not even know that they have been attacked.
Devices need to log events so you know what has happened and what is happening on your network. Once the events are recorded, they should be sent to a central syslog server for analysis.
The analysis tool is called a Security Information Event Manager (SIEM). It has the job of correlating events and looking for indications of compromise (IOC). If there is an IOC, someone should review the event and determine if action needs to be taken to stop an attack or repair and restore the systems after an attack.