🐉 neospace ~

📝 Latest Posts

Week 7 - Network Security Fundamentals

Jun 08, 202510 min read

Learning Objectives

  1. List and explain different network security devices: We’ll be looking at the common hardware that helps protect networks. Think of them as the guards and gatekeepers of your digital castle.
  2. Explain how network technologies enhance security: Certain network features themselves provide a layer of protection. We’ll explore how they work.
  3. Describe secure network design elements: We will discuss architectural choices that make a network inherently more resistant to attacks. This is about planning security from the ground up.

Security Through Network Devices - Layered Security

The core concept here is defense in depth, also known as layered security. Imagine a castle with multiple layers of defense: a moat, walls, guards, and then finally the king’s chambers. Breaking through one layer doesn’t guarantee access to the whole castle. Similarly, in networking, we use multiple security devices and techniques. An attacker needs to overcome all of them to succeed. This makes the attack much harder and more time-consuming, greatly reducing the likelihood of a successful breach.

Standard Network Devices and the OSI Model

This introduces the Open Systems Interconnection (OSI) model. It’s a conceptual framework that divides network communication into seven layers. Each layer has a specific function, and devices operate at different layers.

This is fundamental for understanding how networks work and how security devices fit in. Think of it as an assembly line, with each layer performing a specific task before passing the data on to the next.

  • Layer 1 (Physical): The physical cables and connectors.
  • Layer 2 (Data Link): Handles local network addressing (MAC addresses) and frame formatting. Switches operate here.
  • Layer 3 (Network): Handles IP addresses and routing between networks. Routers operate here.
  • Layer 4 (Transport): Handles reliable data transmission (TCP) and connectionless transmission (UDP).
  • Layer 5 (Session): Manages connections between applications.
  • Layer 6 (Presentation): Handles data formatting and encryption/decryption.
  • Layer 7 (Application): The applications themselves (web browsers, email clients, etc.).

TIP

There are Seven Layers on OSI model, u can remember them easily by using mnemonic, “Please Do Not Throw Spinach Pizza Away”.

More about OSI Model : Networking Concepts>>>

Standard Network Devices - Switches

img

  • Switches operate at Layer 2 (Data Link).
  • They learn the MAC addresses of connected devices and forward frames only to the intended recipient.
  • This is a significant improvement over older hubs, which broadcast every frame to every device, making them extremely vulnerable to eavesdropping.
  • A switch significantly improves security by limiting the broadcast domain.
  • An attacker attached to a switch will see only frames that are directed to that device and not others
  • Network administrators should be able to monitor network traffic

Monitoring Network Traffic

Network administrators need to monitor traffic for troubleshooting and security. Two key methods are:

  • Port mirroring: The switch copies traffic from one or more ports to a monitoring port, allowing the administrator to see all traffic on those ports without impacting network performance.
  • Network tap: A passive device that copies traffic from the network without interfering with it. It’s a more dedicated monitoring solution.
Type of AttackDescriptionSecurity Defense
MAC FloodingAn attacker can overflow the switch’s address table with fake MAC addresses, forcing it to act like a hub, sending packets to all devices.Use a switch that can close ports with too many MAC addresses.
MAC Address ImpersonationIf two devices have the same MAC address, a switch may send frames to each device. An attacker can change the MAC address on her device to match the target device’s MAC address.Configure the switch so that only one port can be assigned per MAC address.
ARP PoisoningThe attacker sends a forged ARP packet to the source device, substituting the attacker’s computer MAC address.Use an ARP detection appliance.
Port MirroringAn attacker connects his device to the switch’s mirror port.Secure the switch in a locked room.
Network TapA network tap is connected to the network to intercept frames.Keep network connections secure by restricting physical access.

Standard Network Devices - Routers and Load Balancers

  • Routers (Layer 3): Forward packets between different networks. They are crucial for routing traffic across the internet. They can also be configured with access control lists (ACLs) to filter traffic based on source/destination IP addresses, ports, and protocols.

  • Load Balancers: Distribute network traffic across multiple servers to prevent overload and improve performance. This is vital for website uptime and availability. They can also act as a first line of defense by distributing traffic, stopping attacks from crippling a single server.

  • Load balancers are grouped into two categories:

    • Layer 4 load balancers - act upon data found in Network and Transport layer protocols
    • Layer 7 load balancers - distribute requests based on data found in Application layer protocols

 Load Balancers : Advantages and Security

Load balancers offer significant security advantages:

  • Distributed Denial-of-Service (DDoS) Protection: By distributing traffic, they make it harder for DDoS attacks to overwhelm a single server.
  • Attack Detection: Some load balancers can detect and mitigate attacks.
  • Hiding Server Information: They can mask the internal structure of the network.

 Standard Network Devices - Proxies

img Proxies act as intermediaries between clients and servers. They can improve performance, reduce costs, and enhance security.

  • Proxy Server: Intercepts requests, processes them, and forwards them to the destination server.
  • Application-Aware Proxy: Understands application protocols, allowing for more sophisticated filtering and control.
  • Reverse Proxy: Protects internal servers by sitting in front of them, handling client requests and forwarding them appropriately.

Network Security Hardware - Firewalls

img Firewalls are specialized devices or software that inspect network traffic and block unauthorized access.

  • Packet Filtering (Stateless): Examines each packet individually based on pre-defined rules.
  • Packet Filtering (Stateful): Keeps track of the connection state, allowing it to make more intelligent decisions about which packets to allow or block. This is more secure than stateless filtering.
  • Application-Aware Firewalls (NGFWs): Go beyond simple port-based filtering by identifying applications and their behavior.
  • Web Application Firewalls (WAFs): Specifically designed to protect web applications from attacks.
    •  Special type of application-aware firewall that looks deeply into packets that carry HTTP traffic
    • Can block specific sites or specific types of HTTP traffic

Network Security Hardware - Spam Filters

Spam filters prevent unwanted email from reaching users. They can be installed on mail servers or used as a third-party service. They typically work by analyzing email headers and content to identify spam. The key is to filter before the email reaches the internal network.

  • Email systems use two protocols

    • Simple Mail Transfer Protocol (SMTP) : Handles outgoing mail

    • Post Office Protocol (POP) : Handles incoming mail

Spam filters installed with the SMTP server

  • Filter configured to listen on port 25

  • Pass non-spam e-mail to SMTP server listening on another port

  • This method prevents SMTP server from notifying spammer of failed message delivery

Spam filters installed on the POP3 server

  • All spam must first pass through SMTP server and be delivered to user’s mailbox
  • Can result in increased costs
    • Storage, transmission, backup, deletion

Third-party entity contracted to filter spam

  • All email directed to third-party’s remote spam filter
  • E-mail cleaned before being redirected to organization

Network Security Hardware - VPNs

VPNs create secure connections over untrusted networks (like the internet). Data is encrypted, protecting it from eavesdropping. There are two main types:

  • Remote Access VPN: Allows individual users to connect to a private network remotely.
  • Site-to-Site VPN: Connects entire networks securely.
  • Tunneling Protocols (IPsec, L2TP): These are the protocols that encrypt and encapsulate the data for transmission over the VPN tunnel.

Network Security Hardware - Internet Content Filters

Content filters block access to inappropriate or malicious websites and files. They typically work by blocking URLs or keywords.

FeatureDescription
URL filtering and content inspectionNetwork administrators can block access to specific websites or allow only specific websites to be accessed while all others are blocked. Blocking can be based on keywords, URL patterns, or lists of prohibited sites.
Malware inspection and filteringFiles are scanned for malicious content, and access is blocked if a file exhibits suspicious behavior.
Prohibiting file downloadsExecutable programs (.exe), audio or video files (.mp3, .avi, .mpg), and archive files (zip, rar) can be blocked.
ProfilesContent-specific websites, such as adult, hacking, and virus-infected websites, can be blocked.
Detailed reportingAdministrators can monitor Internet traffic and identify users who attempt to foil the filters.

Web Security Gateways & Intrusion Detection/Prevention Systems

  • Web Security Gateways: Inspect web traffic for malicious content and block it in real time.
  • Intrusion Detection System (IDS): Monitors network traffic for malicious activity and alerts administrators.
  • Intrusion Prevention System (IPS): Similar to an IDS, but it can also actively block malicious traffic.

Intrusion Detection/Prevention System Methodologies

IDS/IPS systems use various methods to detect intrusions:

  • Signature-Based: Looks for known attack patterns.
  • Anomaly-Based: Compares current behavior to a baseline and flags deviations.
  • Behavior-Based: Monitors process behavior for suspicious activity.
  • Heuristic-Based: Uses experience-based rules to identify suspicious activity.

Security Through Network Technologies - NAT & PAT

  • Network Address Translation (NAT): Masks internal IP addresses, making them invisible from the outside world. This provides a layer of protection against direct attacks.
  • Port Address Translation (PAT): A variation of NAT that allows multiple internal devices to share a single public IP address.

Security Through Network Technologies - Network Access Control (NAC)

NAC ensures that devices connecting to the network meet certain security requirements before being granted access. If a device doesn’t meet the requirements, it might be placed in a quarantined network until it’s fixed.

Security Through Network Design Elements

This introduces key architectural concepts for secure network design:

  • Demilitarized Zones (DMZs): A buffer zone between the public internet and the internal network. Publicly accessible servers (web servers, mail servers) are often placed in the DMZ.
  • Subnetting: Dividing a network into smaller subnets for better organization and security.
  • Virtual LANs (VLANs): Logical segmentation of a network, allowing administrators to isolate different parts of the network for better security.
  • Remote Access: Secure methods for allowing remote users to access the network (VPN is a key technology for this).

Labs

Lab 6 DFEH

Summary

This lesson explores network security, focusing on layered security using various devices and network technologies. The core concept is “defense in depth,” where multiple security layers make attacks significantly harder.

The lesson covers:

  • Network Devices and the OSI Model: Explains how network devices (switches, routers, load balancers, proxies, firewalls, spam filters, VPNs, content filters, web security gateways, and IDS/IPS systems) operate at different layers of the OSI model to provide layered security. The importance of monitoring network traffic (port mirroring and network taps) is also highlighted.

  • Network Technologies: NAT and PAT are explained as mechanisms for masking internal IP addresses and improving security. Network Access Control (NAC) is introduced as a method to ensure devices meet security requirements before gaining network access.

  • Secure Network Design: Key architectural elements are discussed, including DMZs, subnetting, VLANs, and secure remote access methods (like VPNs). Different types of firewalls and their functionalities are outlined, including next-generation firewalls (NGFWs) and web application firewalls (WAFs). The methodologies used by intrusion detection/prevention systems (IDS/IPS) are also explained.

In essence, the lesson provides a comprehensive overview of network security devices, technologies, and design principles, emphasizing the importance of a multi-layered approach to protect networks effectively.

Graph View

Backlinks