Network security measures
Network security measures are the security controls you add to your networks to protect confidentiality, integrity, and availability. These controls continue to evolve, but there is a lot of fundamental knowledge that readily available. It takes effort to keep attackers out of your network. Firewalls, proxies, and gateways work toward that end.
It is dangerous to assume that those devices will absolutely keep attackers out of your network. Hackers eventually find a way in. A well-known hacker, Kevin Mitnick, claims 100% success when launching penetration testing against companies that have hired him to test their network security.
There is always a way in. Security requires continued work to learn, evolve, and stay ahead of the hackers. It is also critical to have incident response plans and teams in place when hackers do get in.
A firewall blocks or allows traffic to pass. The traffic allowed to pass through a firewall is specified in its configuration based on the type of traffic a business has and needs. The most important security best practice with a firewall is that it should block all traffic by default. It should then be configured to allow only specific traffic to known services. The configuration of the firewall is critical, so the firewall administrator's knowledge is crucial.
Firewalls operate at different layers within the International Standards Organisation Open System Interconnect (ISO OSI) model. Usually, anything called a firewall lives at layers 2-5. If the firewall is at layer 7, it is often referred to as a proxy or gateway. The exception is a web application firewall (WAF), which uses the word firewall and is at layer 7. A firewall analyses information found at the layer of the OSI model where it works.
Here are a few examples of how a firewall could operate at different layers:
- Layer 2 – data link – it could make a block or forward decision based on the media access control (MAC) address on the frame.
- Layer 3 – network – it could make a block or forward decision based on the Internet Protocol (IP) address within the packet.
- Layer 4 – transport – it could make a block or forward decision based on the transmission control protocol (TCP) port number in the datagram.
- Layer 5 – session – it could make a block or forward decision based on the real-time protocol (RTP) information.
- Layer 7 – data – it could make a block or forward decision based on application or application service.
A firewall is configured with a list of rules that are sometimes referred to as policies. The firewall uses this list of rules to determine what to do with traffic once it arrives at the firewall. The rules work from a top-down perspective.
The firewall compares the frame or packet it just received to the first rule in the list. If it matches the traffic type of that rule, it follows the instructions for that rule. A rule could say the traffic can pass, or that it should be blocked and discarded.
If the frame or packet does not match the first rule, the firewall compares it to the second and so on. If the traffic does not match one of the explicitly defined rules, the firewall will follow the final rule which should be to discard the traffic.
A proxy firewall lives at layer 7 of the OSI model. When a proxy receives traffic, it processes the frame or packet up through the layers. For example, if the frame is stripped off at layer 2, the packet headers are removed at layer 3 and so on until only the data exists at layer 7.
The transport layer security (TLS) connection is terminated at layer 4, and the data is in clear text within the proxy from that point forward. The proxy then analyses the data being transmitted, which would have been impossible at lower levels because of the encryption. This enables the device to analyse a lot more data than a standard firewall. This usually takes more time or processing power than a firewall, but gives greater control over user traffic.
The term gateway has different meanings depending on who you talk to. A gateway was traditionally a piece of hardware that sat between two networks. The average gateway today has a firewall element in it. For example, Microsoft Azure has a WAF built into its gateway. So, a gateway is now debatably a type of firewall.
Intrusion detection & prevention systems
The next concern is to detect intrusions into a network using Intrusion detection systems (IDSs). These devices are passive. They watch network traffic go by and log suspicious traffic. An IDS could be on the network or the end device. Depending on where it is, it is called a network-based IDS (NIDS) or host-based IDS (HIDS).
A NIDS is usually connected to a tap or span port of a switch. This means that traffic is passed on to its destination without interference, and a copy goes to the span port of the NIDS for analysis. If it is a HIDS, it resides on the laptop, tablet, server, etc. Most HIDS do not analyse live traffic, but instead analyse traffic logs after the fact.
At some point, the manufacturers took these devices to the next level. If they can detect an attack, why not just trash suspicious frames or packets at the device instead of just reporting on it. This is how Intrusion prevention systems (IPS) came about. IPSs can also be network-based (NIPS) or host-based (HIPS).
This is a wonderful idea, but it comes with a downside. The IPS must know what is and is not good traffic. This can be done with signature files or it can learn.
Virtual private network (VPN)
The next concern to address is how to protect data, voice, or video that is transmitted anywhere someone might be able to eavesdrop. This includes within a corporate or home network and outside of those networks such as across the internet or on a service provider’s network.
Encryption addresses this concern by making the data unreadable without the key. For data-in-transit, there are a few options for encryption. They are as follows:
- Secure Socket Layer (SSL)/Transport Layer Security (TLS)
- Secure Shell (SSH)
- Internet Protocol Security (IPsec)
SSL/TLS has been in use since 1995 to protect browser-based connections. Netscape invented SSL. Versions 2.0 and 3.0 were in use until the Internet Engineering Task Force (IETF) adopted and renamed it. This occurred in 1999 when America Online (AOL) bought Netscape. Now TLS 1.3 (RFC 8446) is the latest version. TLS is not only used for browser-based connections. It is also used for a user VPN connection to connect to the office.
SSL/TLS is a transport layer protocol that uses TCP port 443 when applied to browser connections.
SSH is an encryption method most commonly used for remote login capability. Network administrators use SSH to remotely login and administer network devices such as routers and switches. It is generally thought of as a replacement for Telnet, which is a layer 7 remote login protocol that is not encrypted, although it too can be used for VPN connections. SSH is specified in IETF RFC 4253. It uses TCP port 22.
IPsec is a network layer protocol that provides encryption and integrity checking capability to any connection type. There are many different IETF RFC documents that specify the different parts of what is considered IPsec. RFC 6071 offers a roadmap showing how these documents relate to each other.
IPsec provides two security protocols: authentication header (AH) and encapsulating security payload (ESP).
- AH is used to provide data origin authentication and integrity. An IPsec implementation does not have to support AH. AH encrypts the header of the IP packet.
- All IPsec implementations must support ESP, which offers data origin authentication, integrity and confidentiality. ESP encrypts the payload of the IP packet.
Data leak prevention & digital rights management
Intellectual property (IP) protection continues to be a concern. IP includes manuals, processes, design documents, research and development data, etc. There are two major issues. The first is keeping confidential information contained, and the second is ensuring that information can only be seen by someone you want to see it. Data classification and access control are two of the many things used to appropriately control access.
Concerns over data flowing out of your business inappropriately can be controlled by data leak prevention (DLP) technology. It watches for sensitive information in data flows such as emails or file transfers.
If DLP software sees sensitive information such as a credit card number, it blocks or stops the transmission. It can also encrypt it if that is a more appropriate action. The question is what your business wants to control and how it wants the network to respond when the DLP software detects that data.
DRM uses technology to control access to IP. If you have used Kindle, iTunes, Spotify, Netflix, or Amazon Prime Video, you have used DRM software. The software enables you to see the video, read the book, or listen to the music once you have purchased it from the vendor. A business example is Cisco controlling access to course manuals once the customer purchases a class.
Javelin and LockLizard are other examples of DRM technology businesses can use to control content distribution. DRM technology uses access control that governs how long someone can use the content, if it can be printed, if it can be shared, etc. The parameters are based on the IP owner’s desires.
Logs, monitoring, and SIEMs
Possibly the most critical security measures a business can put in place involve security issue detection and correction. The starting point is logging. Virtually all systems on or attached to a network should generate logs.
A business determines what exactly to log. This could include login attempts, traffic flows, packets, actions taken, or even every keystroke a user makes. The decision on what to log should be based on the risk appetite of the business, the sensitivity of the assets and the vulnerabilities of the systems.
All of these systems should generate logs:
Systems on the network
- Routers and switches
- IDS and IPS
Systems connected to the network
- Desktop and mobile phones
- All Internet of Things (IoT) devices
This results in a huge number of recorded events. To make sense of all this data, it is necessary to send the logs, which are also audit trails, to a central location such as a syslog server. Once the logs are at a syslog server, a security information event manager (SIEM) analyses them.
A SIEM is a tool that analyses the logs from all systems and correlates the events. It looks for indications of compromise (IOC). An IOC does not always translate into evidence of an actual event, so it must be analysed by humans. This is where a security operation centre (SOC) and an incident response team (IRT) must determine the next actions to take.