Ready to Start Your Career?
By: ram
July 10, 2015
The Unconventional Guide to Network Security 1.1
By: ram
July 10, 2015
- When you’re starting out, it can be difficult to grasp of "what’s what"
- If you’re in charge of a virtual environment, you likely won’t have first-hand encounters with many of these tools (e.g., firewall and VPN concentrators), because they’re managed solely by your VM provider/datacenter
- If you’re in an SMB, you may not have have need or resources things like load balancers and web application firewalls
1.0 Network Security
1.1 Explain the security function and purpose of network devices and technologies Firewalls – e.g., Juniper SRX Series (hardware) and Comodo Firewall (free software)These "guard dogs" of a network are vital for companies. They block and allow network traffic based on the filters you set. The typical default setting is "Deny All," meaning nothing is allowed in until you set the firewall to accept traffic (e.g., TCP, UDP, port 80). Each hardware device comes with a GUI, which is often web-based, allowing easier configuration and maintenance. Routers – e.g., Cisco RV130WRouters connect your computers to other networks (this includes subnets) based on routing tables. An example is your home cable modem, which is really a router more than a modem. Using the information in the data packet header (e.g.,"I'm from network A and need to get to computer C on network B") the router routes the data. Get familiar with the terms 10/100/1000 Mbps. Switches – e.g., Netgear GS108This is kind of like a power strip for your router. It provides extra ports and passes data within one network. For homes, a router is (most often) included in the modem from the ISP. You just plug in the cables from the computers into extra switch ports, so all your home computers can communicate with each other. For businesses, the incoming internet line plugs into your business router, and from there to a multi-port switch, which is often wired to multiple wall jacks throughout the building. Load Balancers – e.g., Barracuda Load Balancer ADC, CitrixThese are used in elements like DNS servers and server farms - whenever a lot of people are using a server’s services and the workload on that server may slow down, or even cripple, the server’s performance. The load balancer checks which servers are being used heavily and moves the incoming transmissions to a less-used server. Proxies – e.g., IWSVA (Internet Web Security Virtual Appliance)These devices sit between the company and the internet. The typical setup allows for all internet traffic from the company to funnel into the proxy. Rules are applied as needed (e.g., "Yes you can go there, no you can’t go there."). Each site visited sees just the public IP address of the company. All incoming traffic goes through the proxy and is traced back, by the proxy, to the computer that originated the request. Items such as sites visited, who visits what sites and how often they were visited are logged and can be used for reporting.Web Security Gateways – e.g., Websense Web Security Gateway
AKA Secure Web Gateways, these provide policy (internet-related IT and corporate) enforcement, URL filtering, malicious code filtering (e.g., protecting the end-user from malware that’s initiated by the user) and app controls for web-based applications (e.g., Skype).VPN Concentrators – e.g., Cisco VPN 3000 Series
These devices are similar to routers, but they manages multiple VPN tunnels. A workstation on a VPN typically connects to just one tunnel, but a company can have multiple VPNs, so that’s where this tool can be used. If your company has multiple locations with different network addresses and is using a cloud-based vendor, the vendor could have a concentrator to manage a) multiple companies, and b) your company’s multiple network schemes.NIDS and NIPS (Behavior-based, Signature-based, Anomaly-based, Heuristic) – e.g., Snort (free software)
The “N” stands for “network” and is an appliance (separate from your computers) that stands watch over inbound and outbound network traffic. The “D” stands for “detection” that watches traffic to determine if it’s bad (and alerts you). The “P” stands for “prevention” and stops traffic according to rules that you set up. “S” stands for “system," which can be software or hardware.Signature-based asks, “According to knownnbad traffic patterns, does this traffic appear bad?”Behavior-based asks, “Is this network traffic normal for the baseline I’ve set up?”Anomaly-based asks, “Does this traffic act like enemy traffic?”Anomaly-based uses heuristics is a problem-solving method; it’s low- level artificial intelligence, hence "training" can occur on the device by gradually changing the rules and filters that indicate what’s acceptable and it will adjust as needed.A notable drawback: there are typically false-positives - good traffic can be determined as bad. (e.g. Your developers could be testing something, but they get blocked because of the unusual or abnormal traffic.)NOTE: Don’t confuse the NIDS with NIDs, which stands for Network Interface Devices! Protocol Analyzers – e.g., Wireshark (free)A protocol analyzer inspects each data packet and keeps a record of it. You can go in later (even if you simply save the results and check it within seconds) and check the records for any anomalies. It takes packets and breaks them down into their highly detailed aspects.Sniffers – (it’s hard to find a pure sniffer, but this page at Sectools.org - http://sectools.org/tag/sniffers/ - has a list of free programs with sniffers as part of the package)
There’s a little overlap between sniffers and protocol analyzers. They watch and capture traffic, but don't necessarily analyze it. Think of them as tools for packet capture, but not for analysis.Spam Filters, all-in-one security appliances – e.g., Symantec.cloud (online), Barracuda Spam Firewall (physical device)
This software/device filters inbound and outbound email for malicious traffic. It has varying levels of detection, and most - if not all - new items get inspected to detect what's in each attachment. The tool's differences dictate its price, capabilities and amount of time it takes for email to be processed. The more fully a tool inspects each incoming and outgoing transmission, the more secure it is (but the longer it takes to send and receive). These tools can also be used to prevent data leakage (aka DLP – Data Loss Prevention). Web Application Firewall vs. Network Firewall – (e.g., Trustwave’s Web Application Firewall)The WAF (Web Application Firewall) is a device, plug-in or filter that examines inbound and outbound web traffic of a web server application. Network firewalls allow traffic on port 80 or 443, so they automatically allow these transmissions.The WAF checks for vulnerabilities in web transactions between your web server and the world-at-large. Two common attacks are cross-site scripting (XSS) and SQL injection. An appliance can be situated right behind the firewall; server-based WAFs are installed directly on the web server to intercept traffic before it reaches the server or app.URL Filtering, Content Inspection, Malware Inspection (pretty much any anti-virus/complete internet security product)
With all of these elements, HTTP requests are compared against a database of known-malicious sites, words/phrases and/or file types. Any "bad actors" are dealt with accordingly (e.g., denied, allowed or sent a warning). These products are often bundled together in one package as a convenient way to protect the end-user from visiting bad sites or downloading malware. You may think, “Well, my software already does that,” yet it’s important to know all the details, since you’re going to be a security professional!Please share your comments below and good luck on the CompTIA exam(s) and in your cybersecurity pursuits.