CHAPTER 5 : Administering a secure network

Secure Network protocols

Protocols -Rules for communication

-Essential for proper communication between network devices

Transmission Control -Most common protocol suite used for local area networks and the Internet
Protocol/Internet Protocol
(TCP/IP) -Comprises several protocols that all function together

IP -Protocol that functions primarily at Open Systems Interconnection (OSI) Network Layer (Layer 3)

-Provides network addressing and routing

TCP -Transport Layer (Layer 4) protocol

-Establishes connections and ensures reliable data transport between devices

TCP/IP uses a four layer architecture

• Network Interface, Internet, Transport, Application

Secure email protocols

-Secure/Multipurpose Internet Mail Extensions (S/M I M E)

• A protocol for securing email messages

-S/M I M E has limitations:

• Cannot be used when mail is accessed through a web browser instead of a dedicated email application
• Because S/M I M E encrypts the entire message, this makes it difficult for any third-party tools that inspect email for
malware
- Because it also would be encrypted
-Some enterprises and government agencies automate encrypting and decrypting email
• Use a mail gateway appliance
 Several basic TCP/IP Protocols that relate to security

Simple Network Management Protocol Domain Name System (DNS) File transfer Protocol
(SNMP)
A TCP/IP protocol that maps IP addresses
-Used to manage network equipment and to their symbolic name -TCP/IP protocol used for transferring files
is supported by most network equipment
manufacturers -The DNS database is organized as a -File transfer protocol (FTP) – an unsecure
hierarchy protocol used to connect to an FTP server
-Allows administrators to remotely
monitor, manage, and configure network -Database consists of the name of a site -Methods for using FTP on local host computer
devices and a corresponding IP number • From a command prompt
• Using a web browser
-Functions by exchanging management -The database is distributed to many • Using an FTP client
information between network devices different servers on the Internet
• To prevent bottlenecking and to -Using FTP behind a firewall can present
-Each SNMP-managed device has an ensure efficiency challenges
agent or a service • FTP uses two ports
-DNS is often the focus of attacks • Port 21 is the FTP control part
-Listens for and executes commands • Port 20 is the data port
-DNS poisoning substitutes fraudulent IP • FTP active mode
Agents are password protected address
• Client’s firewall may sometimes drop
• Password is known as a packets on Port 20 (the data channel
community string -Can be done in local host table or external
connection)
DNS server
• FTP passive mode
Security vulnerabilities were present in S
• The client sends a PASV command to
M N P versions 1 and 2 -Can be thwarted by using Domain Name
the command channel and the server
• Version 3 uses usernames and System Security Extensions (DNSSEC)
responds with the TCP port number to
passwords along with
use to establish the data channel
encryption to address -DNSSEC adds additional resource records
vulnerabilities and message header information which can
-FTP vulnerabilities
be used to verify the requested data has not
been altered in transmission • Does not use encryption
• Files transferred using FTP are
-Attacker asks the valid DNS for a zone vulnerable to man-in-the-middle attacks
transfer
-Secure transmission options over FTP
-A zone transfer allows attacker access to • Secure sockets layer (FTPS) encrypts
network, hardware, and operating system commands
information
• Uses SSL or TLS to encrypt commands
sent over the control port (port 21); data
port may not be encrypted

-Secure FTP (SFTP)

• Uses only a single TCP port instead of

two ports
• All data and commands are encrypted
 Using Secure Network protocols

Application or technology Recommended secure protocol

Voice and video Secure Real-time Transport Protocol (SRTP)

Time synchronization Network Time Protocol (NTP)

Email Secure/Multipurpose Internet Mail Extensions

(S/MIME)

Web browsing Hypertext Transport Protocol Secure (HTTPS)

File transfer Secure FTP (SFTP)

Remote access Virtual Private Network (VPN)

Domain name resolution DNS Security Extensions (DNSSEC)

Routing and switching I P Security (IP sec)

Network address translation I P Security (IP sec)

Subscription services I P Security ( IP sec)

Placement of security devices and technologies

• The protection that security devices provide can be easily

negated if those devices are not properly located in the network
architecture

• SSL/TLS accelerator – a separate hardware card that inserts into

a web server that contains co-processors to handle SSL/TLS
processing
• a SSL/TLS hardware module can be installed as a
“virtual SSL/TLS server” alongside the forward proxy
server

• Port mirrors – allows the administrator to configure a switch to

copy traffic that occurs on some or all ports to a designated port
on the switch (see Figure 7-4)

• Network tap (test access point) – a device that can monitor

traffic (see Figure 7-5)
 REMEMBER !!!!
Sensors, collectors, and filters – should be placed where
the stream of data is largest

Sensors monitor traffic for network intrusion detection and

prevention devices
Collectors gather traffic for S I E M devices
Filters block traffic for Internet content filters

Aggregation switch -used to combine multiple network connections into a single link

-Should be located between routers and servers where they can detect and stop attacks directed at a
server or application

Correlation engine -aggregates and correlates content from different sources to uncover an attack

-Should be in the protected internal network using data collected from the logs of different hardware
devices

DDoS mitigator -a hardware device that identifies and blocks real-time distributed denial of service (DDoS) attacks

-Should be in the network where they can monitor the largest stream of data
 Analyzing security data

Security logs Can reveal types of attacks that are being directed at the network and if attacks were
successful

Access logs -Provide details regarding requests for specific files

Audit logs -Used to record which user performed an action

Event logs -Document any unsuccessful events and the most significant successful events

A routine review of logs helps to identify • Security incidents

• Policy violations
• Fraudulent activity
• Operational problems

Logs can be useful for • Performing auditing analysis

• Supporting the organization’s internal investigations
• Identifying operational trends and long-term problems

• Logs can provide documentation that the organization is complying with laws and regulatory requirements

Data from security devices – Almost every hardware device designed for security can generate logs

Firewall log items to be examined • IP addresses rejected and dropped

• Probes to ports that have no application services on
them
• Source-routed packets
• Suspicious outbound connections
• Unsuccessful logins

Data from security software

-Security software can produce important data that can be analyzed

-Data Execution Prevention (DEP)

• A Microsoft Windows feature that prevents attackers from using buffer overflow to execute malware

-DEP events and those from similar software can be logged along with the level of severity

-File integrity check (FIC)

• A service that can monitor any changes made to computer files, such as OS files
• These changes can compromise security and indicate a security breach has occurred
 Data from security tools

Tool Description Explanation

Application Whitelisting A whitelist is an inventory of applications and Application whitelisting technologies are
associated components that have been pre-approved designed to permit only known good activity
and authorized to be active and present on the device and block everything else

Removable media control Removable media control is a tool that can be used to Removable media can introduce malware into a
restrict which removable media can be attached to a system and be used to steal valuable
system information

Advanced malware Often a third-party service, advanced malware Advanced malware management tools often
management management tools monitor a network for any unusual use experience-based techniques such as
activity heuristic monitoring to determine if a threat
exists

Issues in analyzing security data

-There are issues with log management

• Generating, transmitting, storing, analyzing, and disposing of computer security log data

-This is due to:

• Multiple devices generating logs
• Very large volume of data
• Different log formats
-A solution:
• Use a centralized device log analyzer
 Managing and securing network platforms : some applications and platforms require special security
considerations

1. Cloud computing

On-premises model
-Enterprises in the past purchased all the hardware and software necessary to run the organization
-Resulted in spiraling costs

Hosted services
-Servers, storage, and the supporting networking infrastructure are shared by multiple enterprises over a remote network connection

Cloud computing
-A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources
-It is a pay-per-use computing model
• Customers pay for only the resources they need
• Types of clouds
o Public cloud
o Community cloud
o Private cloud
o Hybrid cloud
-Four service models in cloud computing:

Software as a Service (SaaS) = Vendor provides access to the vendor’s software applications running on a cloud infrastructure
Platform as a Service (PaaS) =Consumers install and run their own specialized applications on the cloud computing network

Infrastructure as a Service (IaaS)=Vendor allows customers to deploy and run their own software, including OS s and applications

Security as a Service (SECaaS)= All security services are delivered from the cloud to the enterprise

Cloud computing security challenges

-Cloud provider must guarantee means to approve authorized users and deny imposters
-Transmissions from the cloud must be protected
-Customers’ data must be isolated from other customers
-The highest level of application availability and security must be maintained

Cloud access security broker (C A S B)

-A set of software tools or services that resides between the enterprises’ on-premises infrastructure and the cloud provider’s
infrastructure
-Acts as a “gatekeeper”
-Ensures that the security policies of the enterprise extend to its data in the cloud

2. Software Defined Network (SDN)

-Virtualizes parts of the physical network so that it can be more quickly and easily reconfigured
-Accomplished by separating the control plane from the data plane

If traffic needs to flow through the network

-It receives permission from the S D N controller, which verifies the communication is permitted by the network policy of the enterprise
-Once approved, the S D N controller computes a route for the flow to take
-Adds an entry for that flow in each of the switches along the path

SDNs can provide stronger protection

-Simplifies extending VLAN beyond the perimeter of the building, which can help secure data
-An SDN can ensure that all network traffic is routed through a firewall
-Can help capture data for NIDS and NIPS
 3. Virtualization

-A means of managing and presenting computer resources without regard to physical layout or location

Host virtualization

-An entire operating system environment is simulated

-Virtual machine - a simulated software-based emulation of a computer
-The host system runs a hypervisor that manages the virtual operating systems and supports one or more guest systems

-The VM monitor program is called a hypervisor

-Manages the V M operating systems

-Two types of hypervisor:

-Type I – runs directly on the computer’s hardware instead of the underlying OS

-Type II – run on the host OS, much like an application

Container or application cell

-Holds only the necessary OS components that are needed for that specific application to run
-Reduces the necessary hard drive storage space and RAM needed
-Allows for containers to start more quickly because the OS does not have to be started

Virtual Desktop Infrastructure (V D I)

The process of running a user desktop inside a VM that resides on a server

-Enables personalized desktops for each user to be available on any computer or device that can access the server
-Allows centralized management of all virtual desktops

Virtual Distributed Ethernet (V D E)

-An Ethernet-compliant virtual network that can connect physical computers and/or virtual machines together

Advantages :
-New virtual server machines can be made available (host availability) and resources can easily be expanded or contracted as needed
(host elasticity)
-Can reduce costs as Fewer physical computers must be purchased and maintained
-Can provided uninterrupted server access to users as it Supports live migration which allows a virtual machine to be moved to a
different physical computer with no impact to users

Security related advantages

-Test latest security updates by downloading on a virtual machine before installing on production computers
-A snapshot of a particular state of a virtual machine can be saved for later use
-Testing the existing security configuration (security control testing) can be performed using a simulated network environment
-A suspicious program can be loaded into an isolated virtual machine and executed (sandboxing)
- If malware, only the virtual machine will be impacted

Security concerns for virtualized environments:

-Not all hypervisors have the necessary security controls to keep out attackers
-Existing security tools were designed for single physical servers
-VMs must be protected from both outside networks and other V M s on the same physical computer
-VMs may be able to “escape” from the contained environment and directly interact with the host OS
-Important to have virtual machine escape protection
-Virtual machine sprawl
- The widespread proliferation of V M s without proper oversight or management