SRINIVAS UNIVERSITY

INSTITUTE OF ENGINEERING AND

TECHNOLOGY
MUKKA, MANGALURU

DEPARTMENT OF CYBER SECURITY AND CYBER FORENSIC

ENGINEERING

NOTES
ON
ETHICAL HACKING AND NETWORK DEFENSE
SUBJECT CODE: 19SCSF73

COMPILED BY:
Mrs. SWATHI R, Assistant Professor

2023-2024
 MODULE 4
NETWORK SECURITY AND DEFENCE

Network Security and Defense:

Network Security and Defense encompass strategies and technologies to safeguard the
confidentiality, integrity, and availability of information and resources in a computer
network. It involves a proactive approach to prevent, detect, and respond to security
threats.

Key aspects include:

1. Threat Landscape Analysis: Understanding the types of threats prevalent in the digital
landscape, such as malware, phishing, DDoS attacks, and insider threats.

2. Risk Assessment: Identifying vulnerabilities and assessing potential risks to prioritize

security measures effectively.

3. Security Policies and Procedures: Establishing guidelines and rules for network usage,
access control, data handling, and incident response.

4. Security Awareness Training: Educating employees and users about best practices,
security protocols, and potential risks to mitigate human-related vulnerabilities.

5. Patch Management: Ensuring that network components and software are up to date with
the latest security patches to address known vulnerabilities.

6. Network Monitoring and Logging: Implementing tools and systems to continuously

monitor network traffic, detect anomalies, and maintain detailed logs for auditing and
analysis.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 1

Network Firewalls and Intrusion Detection Systems (IDS):

Firewalls:

1. Packet Filtering Firewalls: These inspect individual packets of data and decide whether to
allow or block them based on predefined rules. They operate at the network and transport
layers of the OSI model.

2. Stateful Inspection Firewalls: These maintain a state table of active connections, allowing
incoming packets that belong to established connections. This adds an extra layer of security
by keeping track of the state of connections.

3. Proxy Firewalls: Proxy servers act as intermediaries between internal and external
networks, forwarding requests and responses on behalf of the internal network. This adds
an additional layer of anonymity and can perform content filtering.

4. Next-Generation Firewalls (NGFW): These advanced firewalls combine traditional packet

filtering with deep packet inspection, intrusion prevention, and application-level awareness.
They can identify specific applications or services within the network traffic.

Intrusion Detection Systems (IDS):

A system called an intrusion detection system (IDS) observes network traffic for malicious
transactions and sends immediate alerts when it is observed. It is software that checks a
network or system for malicious activities or policy violations. IDS monitors a network or
system for malicious activity and protects a computer network from unauthorized access
from users, including perhaps insiders. The intrusion detector learning task is to build a
predictive model (i.e. a classifier) capable of distinguishing between ‘bad connections’
(intrusion/attacks) and ‘good (normal) connections’.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 2

 How does an IDS work?

 An IDS (Intrusion Detection System) monitors the traffic on a computer network to

detect any suspicious activity.
 It analyzes the data flowing through the network to look for patterns and signs of
abnormal behavior.
 The IDS compares the network activity to a set of predefined rules and patterns to
identify any activity that might indicate an attack or intrusion.
 If the IDS detects something that matches one of these rules or patterns, it sends an
alert to the system administrator.
 The system administrator can then investigate the alert and take action to prevent any
damage or further intrusion.

Classification of Intrusion Detection System

IDS are classified into 5 types:

1. Network Intrusion Detection System (NIDS):

Network intrusion detection systems (NIDS) are set up at a planned point within the network to
examine traffic from all devices on the network. It performs an observation of passing traffic
on the entire subnet and matches the traffic that is passed on the subnets to the collection of
known attacks. Once an attack is identified or abnormal behavior is observed, the alert can be
sent to the administrator. An example of a NIDS is installing it on the subnet where firewalls
are located in order to see if someone is trying to crack the firewall.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 3

2. Host Intrusion Detection System (HIDS):
Host intrusion detection systems (HIDS) run on independent hosts or devices on the network. A
HIDS monitors the incoming and outgoing packets from the device only and will alert the
administrator if suspicious or malicious activity is detected. It takes a snapshot of existing
system files and compares it with the previous snapshot. If the analytical system files were
edited or deleted, an alert is sent to the administrator to investigate. An example of HIDS usage
can be seen on mission-critical machines, which are not expected to change their layout.

3. Protocol-based Intrusion Detection System (PIDS):

Protocol-based intrusion detection system (PIDS) comprises a system or agent that would
consistently reside at the front end of a server, controlling and interpreting the protocol between
a user/device and the server. It is trying to secure the web server by regularly monitoring the
HTTPS protocol stream and accepting the related HTTP protocol. As HTTPS is unencrypted
and before instantly entering its web presentation layer then this system would need to reside in
this interface, between to use the HTTPS.

4. Application Protocol-based Intrusion Detection System (APIDS):

An application Protocol-based Intrusion Detection System (APIDS) is a system or agent that
generally resides within a group of servers. It identifies the intrusions by monitoring and
interpreting the communication on application-specific protocols. For example, this would
monitor the SQL protocol explicitly to the middleware as it transacts with the database in the
web server.
5. Hybrid Intrusion Detection System:
Hybrid intrusion detection system is made by the combination of two or more approaches to the
intrusion detection system. In the hybrid intrusion detection system, the host agent or system
data is combined with network information to develop a complete view of the network system.
The hybrid intrusion detection system is more effective in comparison to the other intrusion
detection system. Prelude is an example of Hybrid IDS.
ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 4
Benefits of IDS

 Detects malicious activity: IDS can detect any suspicious activities and alert the
system administrator before any significant damage is done.
 Improves network performance: IDS can identify any performance issues on the
network, which can be addressed to improve network performance.
 Compliance requirements: IDS can help in meeting compliance requirements by
monitoring network activity and generating reports.
 Provides insights: IDS generates valuable insights into network traffic, which can be
used to identify any weaknesses and improve network security.
Detection Method of IDS

Signature-based Method:

Signature-based IDS detects the attacks on the basis of the specific patterns such as the
number of bytes or a number of 1s or the number of 0s in the network traffic. It also detects
on the basis of the already known malicious instruction sequence that is used by the
malware. The detected patterns in the IDS are known as signatures. Signature-based IDS can
easily detect the attacks whose pattern (signature) already exists in the system but it is quite
difficult to detect new malware attacks as their pattern (signature) is not known.

Anomaly-based Method:

Anomaly-based IDS was introduced to detect unknown malware attacks as new malware is
developed rapidly. In anomaly-based IDS there is the use of machine learning to create a
trustful activity model and anything coming is compared with that model and it is declared
suspicious if it is not found in the model. The machine learning-based method has a better-
generalized property in comparison to signature-based IDS as these models can be trained
according to the applications and hardware configurations.

Comparison of IDS with Firewalls

IDS and firewall both are related to network security but an IDS differs from a firewall as a
firewall looks outwardly for intrusions in order to stop them from happening. Firewalls
restrict access between networks to prevent intrusion and if an attack is from inside the
network it doesn’t signal. An IDS describes a suspected intrusion once it has happened and
then signals an alarm.

Configuring Firewalls to Filter Network Traffic:

What is a Firewall?
A firewall is a type of cyber security tool used to filter traffic on a network. Firewalls can
separate network nodes from external traffic sources, internal traffic sources, or even specific

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 5

 applications. Firewalls can be software, hardware, or cloud-based, with each type of firewall
having unique pros and cons.

Firewall Types:
 Packet-filtering firewalls
 Circuit-level gateways
 Stateful inspection firewalls
 Application-level gateways (a.k.a. proxy firewalls)
 Next-gen firewalls

Firewall Delivery Methods:

 Software firewalls
 Hardware firewalls
 Cloud firewalls

Type 1: Packet-Filtering Firewalls

As the most ―basic‖ and oldest type of firewall architecture, packet-filtering firewalls create a
checkpoint at a traffic router or switch. The firewall performs a simple check of the data
packets coming through the router—inspecting information such as the destination and
origination IP address, packet type, port number, and other surface-level details without
opening the packet to examine its contents. It then drops the packet if the information packet
doesn’t pass the inspection.

The good thing about these firewalls is that they aren’t very resource-intensive. Using fewer
resources means they are relatively simple and don’t significantly impact system
performance. However, they’re also relatively easy to bypass compared to firewalls with
more robust inspection capabilities.

Type 2: Circuit-Level Gateways

Circuit-level gateways are another simplistic firewall type meant to quickly and easily
approve or deny traffic without consuming significant computing resources. Circuit-level

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 6

gateways work by verifying the transmission control protocol (TCP) handshake. This TCP
handshake check is designed to ensure that the session the packet is from is legitimate.

While extremely resource-efficient, these firewalls do not check the packet itself. So, if a
packet held malware but had the proper TCP handshake, it would easily pass through.
Vulnerabilities like this are why circuit-level gateways are not enough to protect your
business by themselves.

Type 3: Stateful Inspection Firewalls

This firewall type combines packet inspection technology and TCP handshake verification to
create a more significant level of protection than either of the two architectures could provide
alone.

However, these firewalls also put more of a strain on computing resources. This may slow
down the transfer of legitimate packets compared to the other solutions.

Type 4: Proxy Firewalls (Application-Level Gateways/Cloud

Firewalls)
Proxy firewalls operate at the application layer to filter incoming traffic between your
network and the traffic source—hence, the name ―application-level gateway.‖ These firewalls
are delivered via a cloud-based solution or another proxy device. Rather than letting traffic
connect directly, the proxy firewall first establishes a connection to the source of the traffic
and inspects the incoming data packet.

This check is similar to the stateful inspection firewall in looking at both the packet and the
TCP handshake protocol. However, proxy firewalls may also perform deep-layer packet
inspections, checking the actual contents of the information packet to verify that it contains
no malware.

Once the check is complete and the packet is approved to connect to the destination, the
proxy sends it off. This creates an extra layer of separation between the ―client‖ (the system
where the packet originated) and the individual devices on your network—obscuring them to
create additional anonymity and protection for your network.

The one drawback to proxy firewalls is that they can create a significant slowdown because
of the extra steps in the data packet transfer process.

Type 5: Next-Generation Firewalls

Many of the most recently-released firewall products are touted as ―next-generation‖
architectures. However, there is no consensus on what makes a firewall genuinely next-gen.

Some typical features of next-generation firewall architectures include deep-packet

inspection (checking the actual contents of the data packet), TCP handshake checks, and
surface-level packet inspection. Next-generation firewalls may consist of other technologies,

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 7

such as intrusion prevention systems (IPSs), that automatically stop attacks against your
network.

The issue is that there is no one definition of a next-generation firewall, so verifying what
specific capabilities such firewalls have before investing in one is essential.

Firewall Deployment Architecture 1: Software Firewalls

Software firewalls include any type of firewall that is installed on a local device rather than a
separate piece of hardware (or a cloud server). The big benefit of a software firewall is that
it's highly useful for creating defense in depth by isolating individual network endpoints from
one another.

However, maintaining individual software firewalls on different devices can be difficult and
time-consuming. Furthermore, not every device on a network may be compatible with a
single software firewall, which may mean having to use several different software firewalls to
cover every asset.

Firewall Deployment Architecture 2: Hardware Firewalls

Hardware firewalls use a physical appliance that acts like a traffic router to intercept data
packets and traffic requests before they're connected to the network's servers. Physical
appliance-based firewalls like this excel at perimeter security by ensuring malicious traffic
from outside the network are intercepted before the company's network endpoints are
exposed to risk.
However, the major weakness of a hardware-based firewall is that it is often easy for insider
attacks to bypass them. Also, the actual capabilities of a hardware firewall may vary
depending on the manufacturer—some may have a more limited capacity to handle
simultaneous connections than others, for example.

Firewall Deployment Architecture 3: Cloud Firewalls

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 8

Whenever you use a cloud solution to deliver a firewall, it can be called a cloud firewall or
firewall-as-a-service (FaaS). Many consider cloud firewalls synonymous with proxy firewalls
since a cloud server is often used in a firewall setup (though the proxy doesn't
necessarily have to be on the cloud, it frequently is).

The primary benefit of having cloud-based firewalls is that they are straightforward to scale
with your organization. As your needs grow, you can add additional capacity to the cloud
server to filter larger traffic loads. Cloud firewalls, like hardware firewalls, excel at perimeter
security.

Understanding Firewall Principles and Types:

Firewall Principles:

1. Packet Filtering: Examines individual packets of data and makes decisions based on
source/destination addresses, port numbers, and protocols. It's efficient but lacks
awareness of the context of connections.

2. Stateful Inspection: Keeps track of the state of active connections and only allows packets
that belong to established connections. Provides greater security by understanding the
context of connections.

3. Proxying: Acts as an intermediary between clients and servers, forwarding requests on

behalf of clients. Enhances security and privacy by hiding internal network details.

4. Application Layer Filtering: Operates at the application layer of the OSI model, allowing
deeper inspection of application-specific data.

Types of Firewalls:

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 9

1. Hardware Firewalls: Dedicated hardware devices that provide firewall functionalities.
Often placed between an organization's internal network and the internet.

2. Software Firewalls: Installed on individual computers or servers to control traffic at the

system level.

3. Network Firewalls: Protect an entire network by controlling traffic between internal and
external networks.

4. Next-Generation Firewalls (NGFW): Combine traditional firewall features with intrusion

prevention, deep packet inspection, and application awareness.

5. Proxy Firewalls: Proxy servers forward requests and responses, acting as intermediaries.
They provide anonymity and can filter content.

6. Stateful Firewalls: Maintain a state table of active connections and make decisions based
on the connection's state.

Configuring Firewalls to Filter Network Traffic:

Steps to Configure Firewalls:

1. Determine Security Requirements: Identify what needs protection, the traffic to

allow/block, and the services to be accessible.

2. Create Access Control Lists (ACLs): Define rules specifying which traffic is allowed and
which is denied. Rules are based on source/destination IP addresses, port numbers, and
protocols.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 10

3. **Default Deny Policy**: Set the firewall to block all traffic by default and explicitly allow
only the necessary traffic. This minimizes the attack surface.

4. **Segmentation**: Divide the network into segments using firewalls to control traffic
flow between them. This prevents lateral movement by attackers.

5. **Ingress and Egress Filtering**: Control both incoming (ingress) and outgoing (egress)
traffic. Egress filtering prevents malicious internal users from exfiltrating data.

6. **Logging and Monitoring**: Enable firewall logging to track allowed and denied
connections. Regularly review logs for signs of potential attacks or policy violations.

#### Application of Firewall Rules:

1. **Source and Destination IP Addresses**: Define rules based on IP addresses to allow or

block traffic from specific sources or destined for specific destinations.

2. **Port Numbers**: Control traffic based on port numbers. For example, allowing web
traffic (HTTP) on port 80 or secure web traffic (HTTPS) on port 443.

3. **Protocols**: Specify protocols such as TCP, UDP, ICMP, etc. to determine which types
of traffic are permitted.

4. **Direction**: Decide whether rules apply to incoming (ingress) or outgoing (egress)

traffic.

5. **Rule Order**: Arrange rules in the correct order. Rules are usually processed from top
to bottom, so more specific rules should precede general ones.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 11

6. **Logging and Alerts**: Configure rules to log traffic that matches them. This helps in
monitoring and incident response.

Configuring firewalls requires a deep understanding of network architecture, services, and

security needs. Regularly review and update firewall rules to adapt to evolving security
requirements and emerging threats.

Remember, a well-configured firewall is a critical component of network security, acting as

the first line of defense against unauthorized access and potential threats.

Certainly, let's dive into detailed notes on Intrusion Detection and Prevention Techniques, as
well as Secure Network Design and Architecture:

Intrusion Detection and Prevention Techniques:

1. Signature-Based Detection:

- **Definition**: Compares network traffic or system activity to a database of known attack

patterns (signatures).

- **Advantages**: Effective against known threats, low false positive rate, quick detection
of recognized attacks.

- **Limitations**: Ineffective against new or modified attacks, requires frequent signature

updates.

2. Anomaly-Based Detection:

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 12

- **Definition**: Learns and establishes a baseline of normal behavior, then raises alerts
when deviations occur.

- **Advantages**: Adapts to new and unknown threats, detects zero-day attacks, offers a
more holistic view of network activity.

- **Limitations**: Higher false positive rate, requires thorough understanding of normal

behavior, may miss sophisticated attacks.

3. Heuristic Analysis:

- **Definition**: Uses predefined rules to identify patterns associated with known attack
methods.

- **Advantages**: Identifies a wide range of attacks, adaptive to new attack methods,

useful for detecting known techniques.

- **Limitations**: May generate false positives, requires regular rule updates to cover
evolving threats.

4. Behavioral Analysis:

- **Definition**: Focuses on identifying deviations from normal behavior, even if the attack
method is unknown.

- **Advantages**: Detects novel and complex attacks, reduces false positives by considering
context.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 13

- **Limitations**: Requires a baseline of normal behavior, complex to configure, may miss
subtle deviations.

Intrusion Prevention Systems (IPS):

- **Definition**: Goes beyond detection by actively blocking or preventing identified

threats.

- **Advantages**: Immediate response to threats, reduces damage, enhances network

security posture.

- **Limitations**: Possibility of blocking legitimate traffic, requires careful tuning to avoid

false positives.

Secure Network Design and Architecture:

1. Defense-in-Depth:

- **Definition**: Employ multiple layers of security controls to protect against various

threats.

- **Advantages**: Reduces the impact of a single security failure, provides redundancy, and
increases security resilience.

2. Least Privilege:

- **Definition**: Users and systems should have only the minimum privileges necessary to
perform their tasks.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 14

- **Advantages**: Limits the potential damage an attacker can cause if they compromise a
system or account

Segregation of Duties:

- **Definition**: Separating responsibilities to prevent a single individual from having too

much control.

- **Advantages**: Prevents insider attacks, reduces risk of errors or malicious actions.

#### Zero Trust Architecture:

- **Definition**: Assumes that no one, whether inside or outside the network, can be
trusted by default.

- **Advantages**: Requires verification and authentication for every user and device,
minimizes attack surface.

#### Redundancy and High Availability:

- **Definition**: Implementing redundancy in critical network components to ensure

continuity in case of failures.

- **Advantages**: Enhances availability, minimizes downtime, maintains business

operations during failures.

Network Segmentation:

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 15

Network segmentation is an architectural approach that divides a network into

multiple segments or subnets, each acting as its own small network. This

allows network administrators to control the flow of network traffic between

subnets based on granular policies. Organizations use segmentation to

improve monitoring, boost performance, localize technical issues and – most

importantly – enhance security.

With network segmentation, network security personnel have a powerful tool

with which to prevent unauthorized users and protect static IP addresses,

whether curious insiders or malicious attackers, from gaining access to

valuable assets, such as customers’ personal information, corporate financial

records and highly confidential intellectual property, the so-called “crown

jewels” of the enterprise. As a result of the rise of software-defined networking

(SDN), these assets are frequently found spread across hybrid and multicloud

environments – public clouds, private clouds and software-defined networks

(SDNs) – all of which need to be secured against attacks and data breaches. To

understand the security usage of network segmentation, it’s first necessary to

consider the concept of trust in network security

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 16

The Trust Assumption

In the past, network architects targeted their security strategies at the internal

network perimeter, the invisible line that separates the outside world from the

data vital to an enterprise’s business. Individuals within the perimeter were

assumed to be trustworthy and therefore not a threat. Thus, they were subject

to few restrictions on their ability to access information.

However, legacy security infrastructures are generally flat network

architectures that rely on a perimeter firewall as their only point of traffic

inspection and control. Since network boundaries don’t exist as they used to,

and most data center traffic is east-west, traditional port-based firewalls

provide limited value in a cloud and mobile world.

Recent high-profile breaches have called the trust assumption into question.

For one thing, insiders can indeed be the source of breaches, often

inadvertently but sometimes deliberately. In addition, when threats penetrate

the perimeter, they are free to move laterally in the network to access virtually

any data, application, asset or services (DAAS). With virtually unhindered

access, attackers can easily exfiltrate a full range of valuable assets, often

before the breach has even been detected (see figure 1).

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 17

Figure 1: Lateral movement inside the perimeter under the trust assumption

The Zero Trust Response

The Zero Trust Response

Because of the inherent weaknesses of assumed trust, many organizations

have begun to adopt the Zero Trust strategy. Zero Trust assumes nobody is

trustworthy by default, even those already inside the network perimeter. Zero

Trust works on the principle of a “protect surface” built around the

organization’s most critical and valuable DAAS. Because it contains only

what’s most critical to business operations, the protect surface is orders of

magnitude smaller than the attack surface of the full network perimeter.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 18

This is where network segmentation comes in. Using segmentation, network

architects can construct a microperimeter around the protect surface,

essentially forming a second line of defense. In some instances, virtual

firewalls can automate security provisioning to simplify segmenting tasks.

However it is accomplished, authorized users can access assets within the

protect surface while all others are barred by default.

Segmentation is bad news for attackers because, unlike in the days of assumed

trust, simply penetrating the perimeter isn’t enough to gain access to sensitive

information. Microperimeters, whether physical or virtual, prevent threats

from moving laterally within the network, essentially negating much of the

work that went into creating the initial breach (see figure 2).

Figure 2: Limited movement inside the perimeter with Zero Trust and

network segmentation

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 19

Use Cases

Organizations can use network segmentation for a variety of applications,

including:

 Guest wireless network: Using network segmentation, a company can

offer Wi-Fi service to visitors and contractors at relatively little risk. When

someone logs in with guest credentials, they enter a microsegment that

provides access to the internet and nothing else.

 User group access: To guard against insider breaches, many enterprises

segment individual internal departments into separate subnets consisting of

the authorized group members and the DAAS they need to do their jobs.

Access between subnets is rigorously controlled. For example, someone in

engineering attempting to access the human resources subnet would trigger

an alert and an investigation.

 Public cloud security: Cloud service providers are typically responsible for

security in the cloud infrastructure, but the customer is responsible for the

security of the operating systems, platforms, access control, data, intellectual

property, source code and customer-facing content that typically sit atop the

infrastructure. Segmentation is an effective method for isolating applications

in public and hybrid cloud environments.

 PCI DSS compliance: Network administrators can use segmentation to

isolate all credit card information into a security zone – essentially a protect

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 20

 surface – and create rules to allow only the absolute minimum, legitimate

traffic in the zone while automatically denying everything else. These isolated

zones are frequently virtualized SDNs in which PCI DSS compliance and

segmentation can be achieved via virtual firewalls.

Physical vs. Logical Segmentation

Network segmentation can be implemented as either physical or logical

segmentation.

As the name implies, physical segmentation involves breaking down a larger

computer network into a collection of smaller subnets. A physical or virtual

firewall acts as the subnet gateway, controlling which traffic comes in and goes

out. Physical segmentation is relatively straightforward to administer because

the topology is fixed in the architecture.

Logical segmentation creates subnets using one of two primary methods:

virtual local area networks (VLANs) or network addressing schemes. VLAN-

based approaches are fairly straightforward to implement because the VLAN

tags automatically route traffic to the appropriate subnet. Network addressing

schemes are equally effective but require more detailed understanding of

networking theory. Logical segmentation is more flexible than physical

segmentation because it requires no wiring or physical movement of

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 21

components to accomplish. Automated provisioning can greatly simplify the

configuration of subnets.

Moving to a segmentation architecture provides an opportunity to simplify the

management of firewall policies. An emerging best practice is to use a single

consolidated policy for subnet access control as well as threat detection and

mitigation, rather than performing these functions in different parts of the

network. This approach reduces the attack surface and strengthens the

organization’s security posture.

Benefits of Network Segmentation

 Stronger network security

Because segmentation splits the network into smaller subnetworks, isolating

network traffic lessens the attack surface, obstructing lateral movement.

Segmentation also isolates attacks before they spread. For instance, a

malware infection in one subnetwork would not impact systems in another.

 Less congestion, better performance

Network segmentation reduces congestion. When a network has too many

network hosts, congestion ensues because too many packets are transmitted.

In some cases, performance can suffer to a degree wherein no packet is

delivered. Subnetting, or breaking the network into small segments, relieves

congestion significantly.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 22

  Decreased scope of compliance

Regulatory compliance costs can be reduced using network segmentation, as

it limits the amount of in-scope systems.

DMZ (Demilitarized Zone):

A DMZ or demilitarized zone is a perimeter network that protects and adds an extra
layer of security to an organization’s internal local-area network from untrusted traffic.

The end goal of a demilitarized zone network is to allow an organization to access

untrusted networks, such as the internet, while ensuring its private network or LAN
remains secure. Organizations typically store external-facing services and resources, as
well as servers for the Domain Name System (DNS), File Transfer Protocol (FTP), mail,
proxy, Voice over Internet Protocol (VoIP), and web servers, in the DMZ.

These servers and resources are isolated and given limited access to the LAN to ensure
they can be accessed via the internet but the internal LAN cannot. As a result, a DMZ
approach makes it more difficult for a hacker to gain direct access to an organization’s
data and internal servers via the internet. A company can minimize the vulnerabilities of
its Local Area Network, creating an environment safe from threats while also ensuring
employees can communicate efficiently and share information directly via a safe
connection.

How Does a DMZ Network Work?

Businesses with a public website that customers use must make their web server
accessible to the internet. To protect the corporate local area network, the web server is
installed on a separate computer from internal resources. The DMZ enables
communication between protected business resources, like internal databases, and
qualified traffic from the Internet.

A DMZ network provides a buffer between the internet and an organization’s private
network. The DMZ is isolated by a security gateway, such as a firewall, that filters traffic
between the DMZ and a LAN. The default DMZ server is protected by another security
gateway that filters traffic coming in from external networks.

It is ideally located between two firewalls, and the DMZ firewall setup ensures incoming
network packets are observed by a firewall—or other security tools—before they make it
through to the servers hosted in the DMZ. This means that even if a sophisticated
attacker is able to get past the first firewall, they must also access the hardened services
in the DMZ before they can do damage to a business.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 23

 If an attacker is able to penetrate the external firewall and compromise a system in the
DMZ, they then also have to get past an internal firewall before gaining access to
sensitive corporate data. A highly skilled bad actor may well be able to breach a secure
DMZ, but the resources within it should sound alarms that provide plenty of warning that
a breach is in progress.

Organizations that need to comply with regulations, such as the Health Insurance
Portability and Accountability Act (HIPAA), will sometimes install a proxy server in the
DMZ. This enables them to simplify the monitoring and recording of user activity,
centralize web content filtering, and ensure employees use the system to gain access to
the internet.

Benefits of Using a DMZ

The main benefit of a DMZ is to provide an internal network with an advanced security
layer by restricting access to sensitive data and servers. A DMZ enables website visitors
to obtain certain services while providing a buffer between them and the organization’s
private network. As a result, the DMZ also offers additional security benefits, such as:

1. Enabling access control: Businesses can provide users with access to services outside
the perimeters of their network through the public internet. The DMZ enables access to
these services while implementing network segmentation to make it more difficult for an
unauthorized user to reach the private network. A DMZ may also include a proxy server,
which centralizes internal traffic flow and simplifies the monitoring and recording of that
traffic.
2. Preventing network reconnaissance: By providing a buffer between the internet and a
private network, a DMZ prevents attackers from performing the reconnaissance work
they carry out the search for potential targets. Servers within the DMZ are exposed
publicly but are offered another layer of security by a firewall that prevents an attacker
from seeing inside the internal network. Even if a DMZ system gets compromised, the
internal firewall separates the private network from the DMZ to keep it secure and make
external reconnaissance difficult.
3. Blocking Internet Protocol (IP) spoofing: Attackers attempt to find ways to gain access to
systems by spoofing an IP address and impersonating an approved device signed in to a
network. A DMZ can discover and stall such spoofing attempts as another service
verifies the legitimacy of the IP address. The DMZ also provides network segmentation
to create a space for traffic to be organized and public services to be accessed away
from the internal private network.

Services of a DMZ include:

1. DNS servers
2. FTP servers
3. Mail servers
4. Proxy servers
5. Web servers

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 24

 DMZ Design and Architecture

A DMZ is a “wide-open network," but there are several design and architecture
approaches that protect it. A DMZ can be designed in several ways, from a single-
firewall approach to having dual and multiple firewalls. The majority of modern DMZ
architectures use dual firewalls that can be expanded to develop more complex systems.

1. Single firewall: A DMZ with a single-firewall design requires three or more network
interfaces. The first is the external network, which connects the public internet
connection to the firewall. The second forms the internal network, while the third is
connected to the DMZ. Various rules monitor and control traffic that is allowed to access
the DMZ and limit connectivity to the internal network.
2. Dual firewall: Deploying two firewalls with a DMZ between them is generally a more
secure option. The first firewall only allows external traffic to the DMZ, and the second
only allows traffic that goes from the DMZ into the internal network. An attacker would
have to compromise both firewalls to gain access to an organization’s LAN.

Organizations can also fine-tune security controls for various network segments. This
means that an intrusion detection system (IDS) or intrusion prevention system
(IPS) within a DMZ could be configured to block any traffic other than Hypertext Transfer
Protocol Secure (HTTPS) requests to the Transmission Control Protocol (TCP) port 443.

The Importance of DMZ Networks: How Are They Used?

DMZ networks have been central to securing global enterprise networks since the
introduction of firewalls. They protect organizations’ sensitive data, systems, and
resources by keeping internal networks separate from systems that could be targeted by

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 25

attackers. DMZs also enable organizations to control and reduce access levels to
sensitive systems.

Enterprises are increasingly using containers and virtual machines (VMs) to isolate their
networks or particular applications from the rest of their systems. The growth of the
cloud means many businesses no longer need internal web servers. They have also
migrated much of their external infrastructure to the cloud by using Software-as-a-
Service (SaaS) applications.

For example, a cloud service like Microsoft Azure allows an organization that runs
applications on-premises and on virtual private networks (VPNs) to use a hybrid
approach with the DMZ sitting between both. This method can also be used when
outgoing traffic needs auditing or to control traffic between an on-premises data center
and virtual networks.

Further, DMZs are proving useful in countering the security risks posed by new
technology such as Internet-of-Things (IoT) devices and operational technology (OT)
systems, which make production and manufacturing smarter but create a vast threat
surface. That is because OT equipment has not been designed to cope with or recover
from cyberattacks the way that IoT digital devices have been, which presents a
substantial risk to organizations’ critical data and resources. A DMZ provides network
segmentation to lower the risk of an attack that can cause damage to industrial
infrastructure.

Security Information and Event Management (SIEM):

Security information and event management, or SIEM, is a

security solution that helps organizations recognize and address
potential security threats and vulnerabilities before they have a
chance to disrupt business operations. SIEM systems help
enterprise security teams detect user behavior anomalies and
use artificial intelligence (AI) to automate many of the manual
processes associated with threat detection and incident
response.
How does SIEM work?
At the most basic level, all SIEM solutions perform some level of data aggregation,
consolidation and sorting functions in order to identify threats and adhere to data compliance
requirements. While some solutions vary in capability, most offer the same core set of
functionality:

1. Log Management

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 26

SIEM ingests event data from a wide range of sources across an organization’s entire IT
infrastructure, including on-premises and cloud environments. Event log data from users,
endpoints, applications, data sources, cloud workloads, and networks—as well data from
security hardware and software such as firewalls or antivirus software—is collected,
correlated and analyzed in real-time.

Some SIEM solutions also integrate with third-party threat intelligence feeds in order to
correlate their internal security data against previously recognized threat signatures and
profiles. Integration with real-time threat feeds enable teams to block or detect new types of
attack signatures.

2. Event Correlation and Analytics

Event correlation is an essential part of any SIEM solution. Utilizing advanced analytics to
identify and understand intricate data patterns, event correlation provides insights to quickly
locate and mitigate potential threats to business security. SIEM solutions significantly
improve mean time to detect (MTTD) and mean time to resond (MTTR) for IT security teams
by offloading the manual workflows associated with the in-depth analysis of security events.
Incident Monitoring and Security Alerts

SIEM consolidates its analysis into a single, central dashboard where security teams monitor
activity, triage alerts, identify threats and initiate response or remediation. Most SIEM
dashboards also include real-time data visualizations that help security analysts spot spikes or
trends in suspicious activity. Using customizable, predefined correlation rules, administrators
can be alerted immediately and take appropriate actions to mitigate threats before they
materialize into more significant security issues.
Explore SIEM solutions

3. Compliance Management and Reporting

SIEM solutions are a popular choice for organizations subject to different forms of regulatory
compliance. Due to the automated data collection and analysis that it provides, SIEM is a
valuable tool for gathering and verifying compliance data across the entire business
infrastructure. SIEM solutions can generate real-time compliance reports for PCI-DSS,
GDPR, HIPPA, SOX, and other compliance standards, reducing the burden of security
management and detecting potential violations early so they can be addressed. Many of the
SIEM solutions come with pre-built, out-of-the-box add-ons that can generate automated
reports designed to meet compliance requirements.
The benefits of SIEM

Regardless of how large or small an organization may be, taking proactive steps to monitor
for and mitigate IT security risks is essential. SIEM solutions benefit enterprises in a variety
of ways and have become a significant component in streamlining security workflows.
Real-time threat recognition

SIEM solutions enable centralized compliance auditing and reporting across an entire
business infrastructure. Advanced automation streamlines the collection and analysis of
system logs and security events to reduce internal resource utilization while meeting strict
compliance reporting standards.

4. AI-driven automation

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 27

Today's next-gen SIEM solutions integrate with powerful security orchestration, automation
and response (SOAR) systems, saving time and resources for IT teams as they manage
business security. Using deep machine learning that automatically learns from network
behavior, these solutions can handle complex threat identification and incident response
protocols in significantly less time than physical teams.

5. Improved organizational efficiency

Because of the improved visibility of IT environments that it provides, SIEM can be an
essential driver of improving interdepartmental efficiencies. A central dashboard provides a
unified view of system data, alerts and notifications, enabling teams to communicate and
collaborate efficiently when responding to threats and security incidents.
Detecting advanced and unknown threats

Considering how quickly the cybersecurity landscape changes, organizations need to be able
to rely on solutions that can detect and respond to both known and unknown security threats.
Using integrated threat intelligence feeds and AI technology, SIEM solutions can help
security teams respond more effectively to a wide range of cyberattacks including:

 Insider threats - security vulnerabilities or attacks that originate from individuals with
authorized access to company networks and digital assets.

 Phishing - messages that appear to be sent by a trusted sender, often used to steal user
data, login credentials, financial information, or other sensitive business information.

 Ransomware - malware that locks a victim’s data or device and threatens to keep it
locked—or worse—unless the victim pays a ransom to the attacker.

 Distributed denial of service (DDoS) attacks - attacks that bombard networks and
systems with unmanageable levels of traffic from a distributed network of hijacked
devices (botnet), degrading performance of websites and servers until they are
unusable.

 Data exfiltration – theft of data from a computer or other device, conducted manually,
or automatically using malware.

6. Conducting forensic investigations

SIEM solutions are ideal for conducting computer forensic investigations once a security
incident occurs. SIEM solutions allow organizations to efficiently collect and analyze log
data from all of their digital assets in one place. This gives them the ability to recreate past
incidents or analyze new ones to investigate suspicious activity and implement more effective
security processes.

7. Assessing and reporting on compliance

Compliance auditing and reporting is both a necessary and challenging task for many
organizations. SIEM solutions dramatically reduce the resource expenditures required to
manage this process by providing real-time audits and on-demand reporting of regulatory
compliance whenever needed.
Monitoring Users and Applications

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 28

With the rise in popularity of remote workforces, SaaS applications and BYOD (bring your
own device) policies, organizations need the level of visibility necessary to mitigate network
risks from outside the traditional network perimeter. SIEM solutions track all network
activity across all users, devices, and applications, significantly improving transparency
across the entire infrastructure and detecting threats regardless of where digital assets and
services are being accessed.

SIEM implementation best practices

Before or after you've invested in your new solution, here are some SIEM implementation
best practices you should follow:

1. Begin by fully understanding the scope of your implementation. Define how your business
will best benefit from deployment and set up the appropriate security use cases.

2. Design and apply your predefined data correlation rules across all systems and networks,
including any cloud deployments.

3. Identify all of your business compliance requirements and ensure your SIEM solution is
configured to audit and report on these standards in real-time so you can better understand
your risk posture.

4. Catalog and classify all digital assets across your organization's IT infrastructure. This will be
essential when managing collecting log data, detecting access abuses, and monitoring network
activity.

5. Establish BYOD policies, IT configurations, and restrictions that can be monitored when
integrating your SIEM solution.

6. Regularly tune your SIEM configurations, ensuring you're reducing false positives in your
security alerts.

7. Document and practice all incident response plans and workflows to ensure teams are able to
respond quickly to any security incidents that require intervention.

8. Automate where possible using artificial intelligence (AI) and security technologies such as
SOAR.

9. Evaluate the possibility of investing in an MSSP (Managed Security Service Provider) to

manage your SIEM deployments. Depending on the unique needs of your business, MSSPs
may be better equipped to handle the complexities of your SIEM implementation as well as
regularly manage and maintain its continuous functionality.
MSSP Program benefits

What the future holds for SIEM

AI will become increasingly important in the future of SIEM, as cognitive capabilities

improve the system’s decision-making abilities. It will also allow systems to adapt and grow
as the number of endpoints increases. As IoT, cloud computing, mobile and other
technologies increase the amount of data that a SIEM tool must consume, AI offers the

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 29

potential for a solution that supports more data types and a complex understanding of the
threat landscape as it evolves.
Related solutions

IBM Security QRadar SIEM

The market-leading IBM Security QRadar SIEM is now available as a service on AWS. Run
your business in the cloud and on premises with visibility and security analytics built to
rapidly investigate and prioritize critical threats.
Explore QRadar SIEM

Threat management

Too often, an uncoordinated collection of threat management tools built over time fails to
deliver a comprehensive view that delivers secure operations. An intelligent, integrated
unified threat management approach can help you detect advanced threats, quickly respond
with accuracy, and recover from disruptions.
Explore threat management services

IBM Security QRadar SOAR

Improve security operations center (SOC) efficiency, respond to threats faster and close skill
gaps with an intelligent automation and orchestration solution that timestamps key actions
and aides threat investigation and response.

Implementing VLANs for Isolation:

VLAN (Virtual Local Area Network):

VLANs provide logical segmentation within a physical network, enabling you to isolate
devices, departments, or services for security and performance purposes.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 30

Steps for VLAN implementation

1. Planning: Determine the scope and purpose of each VLAN. Consider the logical grouping
of devices and the security requirements.

2. Network Switch Configuration: Configure VLANs on managed switches, assigning specific

VLAN IDs to specific switch ports.

3. Trunk Ports: Use trunk ports to carry multiple VLAN traffic between switches and routers.
Trunk ports need to be properly configured to allow tagged traffic.

4. VLAN Tagging: VLAN tagging adds a label to Ethernet frames to indicate which VLAN they
belong to. This is essential for traffic separation.

5. **Inter-VLAN Routing**: If communication is required between VLANs, set up inter-VLAN

routing using a router or Layer 3 switch.

6. Access Control: Implement access control lists (ACLs) or firewall rules to control the flow
of traffic between VLANs.
ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 31
7. Segregation: Isolate sensitive data, critical systems, and guest networks into separate
VLANs to prevent unauthorized access.

8. Security Monitoring: Deploy intrusion detection and prevention systems to monitor and
safeguard VLAN traffic.

Implementing VLANs allows you to achieve network isolation and segmentation without
requiring physical changes to your network infrastructure. This enhances security, optimizes
network performance, and helps in compliance with regulatory requirements.

Both network segmentation with DMZ and VLAN implementation play pivotal roles in
creating secure and well-organized network architectures, enabling organizations to manage
and protect their assets effectively.

Secure Remote Access Methods: VPN, SSH, and More

1. VPN (Virtual Private Network):

- VPNs establish encrypted tunnels over the Internet, ensuring secure communication
between remote users and the network.

- Users connect to the organization's private network through a VPN client, which encrypts
data and sends it through the tunnel.

- Different types of VPNs include:

- Site-to-Site VPN: Connects entire networks securely.

- **Remote Access VPN**: Allows individual users to connect securely.

- Common protocols used in VPNs are PPTP, L2TP/IPsec, SSTP, and OpenVPN.

- VPNs provide confidentiality, integrity, and authentication for remote access.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 32

2. **SSH (Secure Shell)**:

- SSH is a cryptographic network protocol used for secure remote access to devices over an
unsecured network.

- It provides encrypted communication, authentication, and data integrity.

- SSH operates on the client-server model, with the server hosting SSH services and the
client connecting to it.

- Public key cryptography is often used for authentication, enhancing security.

3. **RDP (Remote Desktop Protocol)**:

- Developed by Microsoft, RDP allows remote access to Windows-based systems.

- RDP sessions can be secured using encryption and strong authentication methods.

4. **Wireless Network Security**:

Wireless networks are susceptible to various security risks due to their nature of
transmitting data over the air. Proper security measures are essential to mitigate these risks.

- **WPA3 (Wi-Fi Protected Access 3)**:

- The latest Wi-Fi security protocol, providing stronger encryption and protection against
brute-force attacks.

- **WPA2 (Wi-Fi Protected Access 2)**:

- The predecessor to WPA3, still widely used and secure if properly configured.

- It uses AES (Advanced Encryption Standard) encryption for data protection.

- **SSID Hiding**:

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 33

 - Disabling SSID broadcasting can make the network less visible, but it's not a robust
security measure.

- **MAC Address Filtering**:

- Restricting access to devices with specific MAC addresses.

- Not foolproof as MAC addresses can be spoofed.

- **Captive Portals**:

- Used to authenticate users before granting access to the network.

- Often seen in public Wi-Fi networks.

5. **Risks Associated with Wireless Networks**:

- **Eavesdropping**:

- Unauthorized users can intercept and view wireless network traffic.

- **Data Interception and Manipulation**:

- Attackers can capture and modify data packets, potentially leading to data breaches or
malware injection.

- **Rogue Access Points**:

- Unauthorized access points set up by attackers to mimic legitimate networks, tricking

users into connecting.

- **Password Cracking**:

- Weak or easily guessable passwords can be cracked using various techniques.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 34

 - **Evil Twin Attacks**:

- Attackers set up malicious networks with names similar to legitimate networks, leading
users to connect to them unknowingly.

- **Denial of Service (DoS)**:

- Attackers can flood the network with traffic, causing it to become unavailable.

- **Misconfigured Devices**:

- Poorly configured devices can expose vulnerabilities and weak points in the network.

- **Physical Access**:

- Attackers with physical proximity to the network can attempt to compromise it.

Implementing strong encryption, authentication mechanisms, and regular security audits

can help mitigate these risks and ensure a more secure wireless network and remote access
environment.

Securing Wi-Fi Networks with Encryption and Authentication:

Wi-Fi networks are vulnerable to various security threats due to their wireless nature.
Securing them is essential to prevent unauthorized access, data breaches, and other
malicious activities. Encryption and authentication are two fundamental techniques for
enhancing Wi-Fi network security.

1. Encryption:

Encryption ensures that the data transmitted over the Wi-Fi network is scrambled and can
only be deciphered by authorized recipients with the correct decryption key. The most
commonly used encryption protocols are:

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 35

 - **WPA2 (Wi-Fi Protected Access 2):** This is a widely used encryption protocol that
employs the Advanced Encryption Standard (AES) algorithm. It provides strong protection
for wireless communications by encrypting data and ensuring data integrity.

- **WPA3:** The successor to WPA2, WPA3 brings stronger security features such as
individualized data encryption for each client device, protection against brute-force attacks,
and more robust key exchange mechanisms.

2. Authentication:

Authentication ensures that only authorized users and devices can access the Wi-Fi
network. Different authentication methods include:

- **Pre-Shared Key (PSK):** Also known as a passphrase, this is a shared secret password
that all devices on the network must know to connect. While convenient, PSK can be
susceptible to dictionary attacks if the passphrase is weak.

- **802.1X/EAP:** This method employs a central authentication server, usually with a

RADIUS (Remote Authentication Dial-In User Service) backend, to validate users. It's often
used in enterprise environments and supports a range of Extensible Authentication Protocol
(EAP) methods for more secure authentication.

Wireless Intrusion Detection Systems (WIDS):

A Wireless Intrusion Detection System (WIDS) is a security solution designed to detect and
respond to unauthorized or malicious activities within a wireless network. WIDS monitors
the network for unusual patterns and behaviors that might indicate an intrusion. Here's how
it works:

1. Passive Monitoring:

- WIDS sensors passively listen to wireless traffic without participating in the network.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 36

 - They analyze data packets, looking for anomalies or signs of suspicious activity.

2. Detection Techniques:

- **Signature-Based Detection:** Compares network traffic against a database of known

attack signatures. If a match is found, the system raises an alert.

- **Anomaly-Based Detection:** Establishes a baseline of normal network behavior.

Deviations from this baseline are flagged as potential intrusions.

- **Heuristic Analysis:** Combines signature and anomaly-based detection to identify

previously unknown attacks based on their behavior.

3. Alerts and Responses:

- When the WIDS detects suspicious activity, it generates alerts for network
administrators.

- Responses can range from simple alerts to more advanced actions like isolating the
compromised device or adjusting network configurations to mitigate threats.

4. **Integration with Network Security:**

- WIDS can work alongside firewalls, intrusion prevention systems (IPS), and other security
tools to create a layered defense strategy.

- Integration with a Security Information and Event Management (SIEM) system allows for
centralized monitoring and management.

5. **Challenges:**

- **False Positives/Negatives:** WIDS systems can generate false alarms or miss

sophisticated attacks, requiring careful tuning and maintenance.

- **Encryption:** Encrypted traffic can be challenging to analyze, as the WIDS can't

inspect the payload without the decryption key.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 37

In summary, securing Wi-Fi networks with encryption and authentication, along with
deploying a Wireless Intrusion Detection System, helps protect against unauthorized access
and malicious activities. It's crucial to implement a holistic security strategy that combines
these techniques with regular updates and monitoring to stay ahead of evolving threats.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 38