Please enable JavaScript.
Coggle requires JavaScript to display documents.
Domain 4: Network Security - Coggle Diagram
Domain 4: Network Security
Network Architecture
A network is simply two or more computers linked together to share data, information or resources
Local area network
(LAN)
Wide area network
(WAN)
Network Devices:
Hubs
Hubs are used to connect multiple devices in a network.
Firewall
Switch
Server
Router
Endpoint
Device Address
Media Access Control
(MAC)
Address
Every network device is assigned a Media Access Control (MAC) address.
Internet Protocol
(IP)
Address
While MAC addresses are generally
assigned in the irmware of the interace, IP
hosts associate that address with a unique
logical address
Wi-Fi
It has made networking more
versatile than ever before.
Workstations and portable
systems are no longer tied to a
cable but can roam freely within
the signal range of the deployed
wireless access points. However,
with this freedom comes
additional vulnerabilities.
Microsegmentation
The toolsets of current adversaries are polymorphic in nature and allow threats to bypass static security controls.
Modern cyber attacks take advantage of traditional security models to move easily between systems within a data center. Microsegmentation aids in protecting against these threats.
Microsegmentation Characteristics:
Allows for granular restriction
s within the IT environment,
Uses logical rules
, not physical rules, and does not require additional hardware or manual interaction with the device
Is the ultimate end state of the defense-in-depth philosophy
; no single point of access within the IT environment can lead to broader compromise.
Is crucial in shared environments
, such as the cloud, where more than one customer’s data and functionality might reside on the same device(s), and where third-party personnel.
Allows the organization to limit which business functions
, units, offices, or departments can communicate with others, to enforce the concept of least privilege.
Is available because of virtualization and software-defined networking (SDN) technologies
. In the cloud, the tools for applying this strategy are often called "virtual private networks (VPN)" or "security groups."
Can be used to separate computers from smart TVs, air conditioning, and smart appliances
, which can be connected and have vulnerabilities.
Network Segmentation
(Demilitarized Zone)
Network segmentation is an effective way to achieve defense in depth for distributed or multitiered applications. The use of a demilitarized zone (DMZ), for example, is a common practice in security architecture.
With a DMZ, host systems that are accessible through the firewall are physically separated from the internal network by means of secured switches or by using an additional irewall to control traffic between the web server and the internal network.
Virtual Private Network (VPN)
A virtual private network (VPN) is not necessarily an encrypted tunnel. It is simply a point-to-point connection
between two hosts that allows them to communicate
As an alternative to expensive dedicated point-to-point connections, organizations use gateway-to-gateway VPNs to securely transmit information over the internet between sites or even with business partners.
Virtual Local Area Network (VLAN)
Allow network administrators to use switches to create software- based LAN segments, which can segregate or consolidate traffic across multiple switch ports
Devices sharing a VLAN
: Devices that share a VLAN communicate through switches as if they were
on the same Layer 2 network (Data Link Layer)
.
Software-based LAN segments
: Imagine a large building with many rooms. Typically, all computers in that building might share one network. VLANs allow you to create "virtual rooms" within that network
Benefits of VLANs:
Broadcast traffic limitation
: Since VLANs act as discrete networks, broadcast traffic (data sent to all devices in a network segment) is limited to the VLAN.
Broadcast traffic limitation
: Since VLANs act as discrete networks, broadcast traffic (data sent to all devices in a network segment) is limited to the VLAN.
Simplified administration
: Administration of the environment is simplified, as the VLANs can be reconfigured when individuals change their physical location or need access to different services.
Network Design
The objective of network design
is to satisfy data communication
requirements and achieve the result
of efficient overall performance
Network Segmentation
Network segmentation
involves controlling traffic among networked devices.
Physical Segmentation
: Complete or physical network segmentation occurs when a network is isolated from all outside communications, so transactions can only occur between devices within the segmented network.
Demilitarized Zone (DMZ)
A DMZ is a network area that is designed to be accessed by outside visitors but is still isolated from the organization's private network.
Purpose: The DMZ is often the host of public servers like web, email, file, and other resource servers.
Virtual Local Area Networks (VLANs)
Secure Infrastructure Strategies
Tools to Identify and Prevent Threats
Intrusion Detection System (IDS)
An intrusion occurs when an attacker
is able to bypass or thwart security
mechanisms and gain access
to an organization’s resources.
An intrusion detection system
(IDS)** automates the inspection
of logs and real-time system
events to detect intrusion
attempts and system failures.
An IDS is intended as part of
a defense-in-depth security
plan. It will work with, and
complement, other security
mechanisms such as firewalls,
but it does not replace them.
A
primary goal of an IDS
is to provide
a means for a timely and accurate
response to intrusions.
IDS
types
are commonly classified as host-based and network-based.
A host-based DS (HIDS)
monitors a single computer or host.
A network-based IDS (NIDS)
monitors a network by observing
network traffic patterns.
Host-based Intrusion
Detection System (HIDS)
A HIDS monitors activity on a single computer, including process calls and information recorded in system, application, security, and host-based firewall logs.
It can often examine events in more detail than a NIDS can, and it can pinpoint specific files compromised in an attack
Network Intrusion
Detection System (NIDS)
A NIDS monitors and evaluates network
activity to
detect attacks or event anomalies
. It cannot monitor the content of encrypted traffic but can monitor other packet details.
A single NIDS can monitor a large network by using
remote sensors
. These sensors can monitor traffic at routers, firewalls, network
switches that support port mirroring, and other types of network taps.
A NIDS has very little negative effect on the overall network performance, and when it is deployed on a single-purpose
system, it doesn’t adversely affect performance on any other computer
Security Information and
Event Management (SIEM)
Security management involves the use of tools that collect information about the IT environment from many disparate sources to better examine the overall security of the organization and streamline security efforts.
The general idea of a SIEM solution is to gather log data from various sources across the enterprise to better understand potential security concerns and apportion resources accordingly
Redundancy
The concept of redundancy is to design systems with duplicate components so that if a failure were to occur, there would be a backup. This can apply to the data center as well.
If the organization requires full redundancy,devices should have two power supplies connected to diverse power sources. Those power sources would be backed up by batteries and generators. In a high-availability environment, even generators would be redundant and fed by different fuel types
Example of Redundancy (Application of)
Data Redundancy
Keeping redundant backups of information. Ensuring data isn't lost and operations can continue.
Power Redundancy
Uninterruptible Power Supply
(UPS)
: A UPS is a device that provides temporary power when the main power source is cut off.
.
Transfer Switches:
These devices automatically or manually switch the power source from the main supply to a backup source (e.g., a generator) when needed.
.
Backup Generators
: These are the primary power source when grid power is lost. They are often powered by diesel, gasoline, propane, or even solar panels.
.
Multiple Power Companies/Grids
: Highly critical organizations like a hospital or an essential government agency might contract with more than one power company and be on two different grids
Deep Dive of On-Premises Data Centers
Ports and Services Management
Preventing Threats
Some basic steps you can take that help reduce the risk of many types of threat
Keep systems and applications up to date.
Use intrusion detection and prevention systems
Use up-to-date anti-malware software
Remove or disable unneeded services and protocols.
Use firewalls
Antivirus
The use of antivirus products is strongly encouraged as a security best practice and is a requirement for compliance with the Payment Card Industry Data Security Standard (PCI DSS)
Scans
Regular vulnerability and port scans are a good way to evaluate the effectiveness of security controls used within an organization.
Firewalls
Isolate network segments from each other, as a security measure.
Firewalls enforce policies by filtering network traffic based on a set of rules.
Firewalls have rapidly evolved over time to provide enhanced security capabilities.
It integrates a variety of threat management capabilities into a single framework, including proxy services, intrusion prevention services (IPS) and tight integration with the identity and access management (IAM) environment to ensure only authorized users are permitted to pass traffic across the infrastructure.
Intrusion Prevention System (IPS)
An intrusion prevention system (IPS) is a special type of active IDS that automatically attempts to detect and block attacks before they reach target systems.
All traffic must pass through the IPS and the IPS can choose what traffic to forward and what traffic to block after analyzing it. This allows the IPS to prevent an attack from reaching a target.
Security of the Network
TCP/IP’s vulnerabilities are numerous.
Improperly implemented TCP/IP stacks in
various operating systems are vulnerable to
various DoS/DDoS attacks, fragment attacks, oversized packet attacks, spoofing attacks, and man-in-the-middle attacks.
TCP/IP (as well as most protocols) is also subject to passive attacks via monitoring
or sniffing.
SYN, SYN-ACK, ACK Handshake
The Steps of the
Three-Way Handshake
:
Step 1:
Synchronization Request (SYN)
:
First, the client sends a SYN packet (short for "synchronize") to the web server.
This packet is typically sent to port 80 (for regular websites - HTTP) or port 443 (for secure websites - HTTPS) of the web server.
The SYN packet is like the client saying: "Hello server! I want to establish a connection with you. Are you ready?"
Step 2: Synchronization-Acknowledgment
(SYN-ACK)
When the web server receives the SYN packet, if it's ready to establish the connection, it replies with a SYN-ACK packet.
The SYN-ACK packet is like the server replying: "Hello client! I've received your request and I'm also ready to connect. Please acknowledge that you got this!"
Step 3: Acknowledgment
(ACK)
Finally, the client receives the SYN-ACK packet and sends back an ACK packet (short for "acknowledgment") to the web server.
This ACK packet is like the client saying: "Great! I've. received your acknowledgment, and the connection is. ready."
Ports and Protocols (Applications/Services)
There are physical ports that you
connect wires to and logical ports that determine where the data/traffic goes.
Physical Ports
Physical ports are the ports on the routers,
switches, servers, computers, etc., to which
that you connect the wires (e.g., fiber-optic
cables, Cat5 cables) to create a network
Logical Ports
When a communication connection is established between two systems, it is done using
ports
.
Ports allow a single IP address to support
multiple simultaneous communications,
each using a different port number.
When in doubt
, systems should be
implemented using the most secure
version of a protocol and its services.
Well-known ports (0–1023)
: These ports
are related to the common protocols that
are at the core of the Transport Control
Protocol/Internet Protocol
(TCP/IP)
model,
Domain Name Service (
DNS)
, Simple Mail
Transfer Protocol (
SMTP)
, etc.
Registered ports (1024–49151)
:
These ports are often associated with
proprietary applications from vendors
and developers.
Registered ports (1024–49151)
:
These ports are often associated with
proprietary applications from vendors
and developers
Cloud Computing Infrastructure: Benefits of Cloud Computing
Security and Flexibility
:
Cloud computing offers high flexibility (easily scaling resources up or down as needed) and also provides robust security
High Availability through "Availability Zones"
:
Cloud service providers have different availability zones. These are physically separate data centers located in different geographical areas.
If one zone experiences a problem (e.g., power outage, natural disaster), activities can shift to another zone automatically. This ensures business continuity and minimizes downtime.
You don't have to maintain a whole data center yourself with all the complex redundancy that entails
Contract and Billing Models
:
You can set up the billing so that it depends on the data used, much like your mobile phone bill.
Resource Pooling
:
Allows for resource pooling, meaning you can share resources (like computing power, storage capacity) with other colleagues or similar industries.
Service Models
Types of cloud computing service
models include Software as a Service
(
SaaS
), Platform as a Service (
PaaS
), and
Infrastructure as a Service (
IaaS
).
Managed Service Provider (MSP)
A managed service provider (MSP) is
a company that manages information
technology assets for another company
Small and medium-sized businesses (SMBs) often outsource some or all of their IT tasks to an MSP. This helps them:
Manage day-to-day operations: MSPs take care of routine IT tasks like system monitoring, updates, and troubleshooting, allowing the client company to focus on its core business.
Provide expertise: Companies might not have in-house experts for all IT areas (e.g., advanced cybersecurity). MSPs fill this gap by offering specialized knowledge and skills.
Provide network and security monitoring and patching services
Other Common MSP Implementations:
Utilize expertise for implementation of a product or service
Augment in-house staff for projects
Managed Detection and Response (
MDR
) Service: This is a key example. In an MDR service, the MSP acts as a vendor who monitors firewalls and other security tools
Provide payroll services
Provide Help Desk service management:
Manage all in-house IT infrastructure
Cloud Characteristics
Allows an enterprise to scale up new software or data- based services/solutions through cloud systems quickly
and without having to install massive hardware locally.
Reduced cost of ownership.
There is no need to buy any
assets for everyday use, no loss
of asset value over time and a
reduction of other related costs
of maintenance and support.
**Usage is metered and priced
according to units (or instances)
consumed**. This can also
be billed back to specific
deparments or functions.
**Reduced energy and cooling
costs**, along with “green
IT” environment effect
with optimum use of IT
resources and systems.
Cloud Computing
Cloud computing is usually associated
with an internet-based set of
computing resources, and typically
sold as a service provided by a cloud
service provider (
CSP
)
There are various definitions of what
cloud computing means per leading
standards, including
NISTs
“A model for enabling ubiquitous,
convenient, on-demand network access to
a shared pool of configurable computing
resources (such as networks, servers,
storage, applications, and services) that
can be rapidly provisioned and released
with minimal management effort or
service provider interaction.”
NIST SP 800-145
Service-Level Agreement (SLA)
Is an agreement between a cloud service provider and a cloud service customer based on a taxonomy of cloud computing–specific terms to set the quality of the cloud services delivered
The purpose of an SLA is to document specific parameters, minimum service levels, and remedies for any failure to meet the specified requirements.It should also affirm data ownership and specify data return and destruction details.
Some of SLA points to consider include the following:
Customer right to audit legal and regulatory compliance by the CSP
Cloud system infrastructure details and security standards
Rights and costs associated with continuing and discontinuing service use
Service availability
: This is one of the most critical points, often expressed as a percentage of uptime (e.g., 99.9% uptime).
Service performance
: The SLA may define metrics for speed, response times, or other performance criteria.
Data security and privacy
: Specifies how your data is protected from unauthorized access, loss, or privacy breaches.
Disaster recovery processes
: Describes how the provider will recover your services and data in case of a major incident (e.g., natural disaster, severe cyberattack).
Data location
: Where your data is physically stored (e.g., in which country, which data center). This is important for data privacy regulations.
Data access
: Who can access your data and under what circumstances.
Data portability:
How easily customers can move their data out of the provider's cloud platform if they want to switch providers or move back to an on-premises data center.
Problem identification and resolution expectations
: The SLA will define how problems are reported, expected response times, and the resolution process.
Change management processes:
How the provider communicates and manages changes to their services.
Dispute mediation processes
: How any disagreements between the customer and provider will be resolved if issues arise.
Exit strategy:
Very crucial! This outlines how you can terminate the contract and retrieve your data safely and efficiently without business disruption.
