Module 4: Security Principles

A network is simply two or more

computers linked together to share
data, information or resources.

LAN
Types of Networks
What is
WAN

Networking?
Network Devices : Hub, Switch, Router,
Firewall, Server, Endpoint

Ethernet
Other Networking Device Address
Term : • MAC Address
• IP Address
Networking at a Glance
Networking Model
• The purpose of all communications is to exchange information
and ideas between people and organizations so that they can
get work done.
• Those simple goals can be re-expressed in network (and
security) terms such as:
o Provide reliable, managed communications between hosts
(and users)
o Isolate functions in layers
o Use packets as the basis of communication
o Standardize routing, addressing and control
o Allow layers beyond internetworking to add functionality
o Be vendor-agnostic, scalable and resilient
Open System
Interconnection
(OSI) Model
• Encapsulation : addition
of header and possibly a
footer (trailer) data by a
protocol used at that layer
of the OSI model.
• De-encapsulation
 Transmission
Control
Protocol
(TCP)/Internet
Protocol (IP)
Internet Protocol (IPv4
& IPv6)
• IPv6 is a modernization of IPv4, which addressed a number of weaknesses
in the IPv4 environment:
• A much larger address field: IPv6 addresses are 128 bits, which supports
2128 or 340,282,366,920,938,463,463,374,607,431,768,211,456 hosts.
This ensures that we will not run out of addresses.
• Improved security: IPsec is an optional part of IPv4 networks, but a
mandatory component of IPv6 networks. This will help ensure the
integrity and confidentiality of IP packets and allow communicating
partners to authenticate with each other.
• Improved quality of service (QoS): This will help services obtain an
appropriate share of a network’s bandwidth.
Knowledge Check
: Formatting IPv6
What is Wifi?
Security of the
Network
• TCP/IP’s vulnerabilities are numerous.
Improperly implemented TCP/IP stacks in
various operating systems are vulnerable to
various DoS/DDoS attacks, fragment
attacks, oversized packet attacks, spoofing
attacks, and man-in-the-middle attacks.
• TCP/IP (as well as most protocols) is also
subject to passive attacks via monitoring or
sniffing. Network monitoring, or sniffing, is the
act of monitoring traffic patterns to obtain
information about a network.
Ports and Protocols • Physical Ports : Physical ports are the ports on the routers,
switches, servers, computers, etc. that you connect the wires, e.g.,
(Applications/Services) fiber optic cables, Cat5 cables, etc., to create a network.
• Logical Ports : Ports allow a single IP address to be able to support
multiple simultaneous communications, each using a different port
number
o Well-known ports (0–1023): These ports are related to the
common protocols that are at the core of the Transport
Control Protocol/Internet Protocol (TCP/IP) model, Domain
Name Service (DNS), Simple Mail Transfer Protocol (SMTP),
etc.
o Registered ports (1024–49151): These ports are often
associated with proprietary applications from vendors and
developers. While they are officially approved by the
Internet Assigned Numbers Authority (IANA), in practice
many vendors simply implement a port of their choosing.
Examples include Remote Authentication Dial-In User
Service (RADIUS) authentication (1812), Microsoft SQL
Server (1433/1434) and the Docker REST API (2375/2376).
o Dynamic or private ports (49152–65535): Whenever a
service is requested that is associated with well-known or
registered ports, those services will respond with a dynamic
port that is used for that session and then released.
Secure Ports -
FTP
Secure
Ports -
Telnet
Secure Ports - SMTP
Secure Ports - Time
Secure Ports - DNS
Secure Ports
- HTTP
Secure Ports - IMAP
Secure Ports -
SNMP
Secure Ports - SMB
Secure Ports - LDAP
Type of Threats -
Spoofing
Type of Threats -
Phishing
Type of Threats –
DOS/DDOS
Type of Threats -
Virus
Type of Threats -
Worm
Type of Threats - Trojan
Type of Threats –
On-path Attack
Type of Threats –
Side Channel
Type of Threats –
Advanced
Persistent Threat
(APT)
Type of Threats –
Insider Threat
Type of Threats - Malware
Type of Threats -
Ransomware
Knowledge Check –
Identify Malware
Threats
Identify Threats and Tools Used to Prevent Them

If a system doesn’t need a service or protocol, it should not be

running. Attackers cannot exploit a vulnerability in a service or
protocol that isn’t running on a system.

Firewalls can prevent many different types of attacks. Network-based

firewalls protect entire networks, and host-based firewalls protect
individual systems.
Intrusion Detection System (IDS)
• Intrusion detection is a specific form of monitoring that
monitors recorded information and real-time events to
detect abnormal activity indicating a potential incident or
intrusion.
• An intrusion detection system (IDS) automates the
inspection of logs and real-time system events to detect
intrusion attempts and system failures.
• A primary goal of an IDS is to provide a means for a timely
and accurate response to intrusions.
• IDS types are commonly classified as host-based and
network-based. A host-based IDS (HIDS) monitors a single
computer or host. A network-based IDS (NIDS) monitors a
network by observing network traffic patterns.
Preventing Threats
• Keep systems and applications up to date. Vendors regularly release patches to correct bugs and security flaws, but
these only help when they are applied. Patch management ensures that systems and applications are kept up to
date with relevant patches.
• Remove or disable unneeded services and protocols. If a system doesn’t need a service or protocol, it should not
be running. Attackers cannot exploit a vulnerability in a service or protocol that isn’t running on a system. As an
extreme contrast, imagine a web server is running every available service and protocol. It is vulnerable to potential
attacks on any of these services and protocols.
• Use intrusion detection and prevention systems. As discussed, intrusion detection and prevention systems observe
activity, attempt to detect threats and provide alerts. They can often block or stop attacks.
• Use up-to-date anti-malware software. We have already covered the various types of malicious code such as
viruses and worms. A primary countermeasure is anti-malware software.
• Use firewalls. Firewalls can prevent many different types of threats. Network-based firewalls protect entire
networks, and host-based firewalls protect individual systems. This chapter included a section describing how
firewalls can prevent attacks.
Preventing Threats -
Antivirus

• Antivirus systems try to identify malware based

on the signature of known malware or by
detecting abnormal activity on a system. This
identification is done with various types
of scanners, pattern recognition and advanced
machine learning algorithms.
• Anti-malware now goes beyond just virus
protection as modern solutions try to provide a
more holistic approach detecting rootkits,
ransomware and spyware. Many endpoint
solutions also include software firewalls and IDS
or IPS systems.
Preventing Threats -
Scan
• Regular vulnerability and port scans
are a good way to evaluate the
effectiveness of security controls used
within an organization. They may
reveal areas where patches or security
settings are insufficient, where new
vulnerabilities have developed or
become exposed, and where security
policies are either ineffective or not
being followed. Attackers can exploit
any of these vulnerabilities.
Preventing Threats - Firewall
Preventing Threats – Intrusion Prevention
System (IPS)
• An intrusion prevention system (IPS) is a special type of active IDS that
automatically attempts to detect and block attacks before they reach target
systems.
• A distinguishing difference between an IDS and an IPS is that the IPS is
placed in line with the traffic. In other words, all traffic must pass through
the IPS and the IPS can choose what traffic to forward and what traffic to
block after analyzing it. This allows the IPS to prevent an attack from
reaching a target. Since IPS systems are most effective at preventing
network-based attacks, it is common to see the IPS function integrated into
firewalls.
• Just like IDS, there are Network-based IPS (NIPS) and Host-based IPS (HIPS).
On-
Premises
Data Center
• When it comes to data
centers, there are two
primary options:
organizations can outsource
the data center or own the
data center. If the data
center is owned, it will likely
be built on premises. A
place, like a building for the
data center is needed, along
with power, HVAC, fire
suppression and redundancy.
Redundancy
• The concept of redundancy is to design systems with
duplicate components so that if a failure were to occur,
there would be a backup. This can apply to the data
center as well. Risk assessments pertaining to the data
center should identify when multiple separate utility
service entrances are necessary for redundant
communication channels and/or mechanisms.
• If the organization requires full redundancy, devices
should have two power supplies connected to diverse
power sources. Those power sources would be backed
up by batteries and generators. In a high-availability
environment, even generators would be redundant and
fed by different fuel types.
Cloud
• Cloud computing is usually associated with
an internet-based set of computing
resources, and typically sold as a service,
provided by a cloud service provider (CSP).
• “a model for enabling ubiquitous,
convenient, on-demand network access to a
shared pool of configurable computing
resources (such as networks, servers,
storage, applications, and services) that can
be rapidly provisioned and released with
minimal management effort or service
provider interaction.” NIST SP 800-145
Cloud
Characteristics
• Cloud computing has many benefits for organizations, which
include but are not limited to:
o Usage is metered and priced according to units (or
instances) consumed. This can also be billed back to
specific departments or functions.
o Reduced cost of ownership. There is no need to buy
any assets for everyday use, no loss of asset value over
time and a reduction of other related costs of
maintenance and support.
o Reduced energy and cooling costs, along with “green
IT” environment effect with optimum use of IT
resources and systems.
o Allows an enterprise to scale up new software or data-
based services/solutions through cloud systems
quickly and without having to install massive
hardware locally.
Service • Types of cloud computing service models
include Software as a Service (SaaS) , Platform as a
Service (PaaS) and Infrastructure as a Service (IaaS).
Models
Deployment • The four cloud models available
are public, private, hybrid and community .
Models
 Managed Service Provider (MSP)

A managed service provider (MSP) is a company that Some other common MSP implementations are:
manages information technology assets for another
company.
Augment in-house staff for projects
Utilize expertise for implementation of a product or service
Provide payroll services
Provide Help Desk service management
Monitor and respond to security incidents
Manage all in-house IT infrastructure
 Service-Level Agreement (SLA)
The cloud computing service-level agreement (cloud
SLA) is an agreement between a cloud service provider The purpose of an SLA is to document specific
important SLA points to consider include the
and a cloud service customer based on a taxonomy of parameters, minimum service levels and remedies for
following:
cloud computing– specific terms to set the quality of any failure to meet the specified requirements.
the cloud services delivered.
• Cloud system infrastructure details and security
standards
• Customer right to audit legal and regulatory
compliance by the CSP
• Rights and costs associated with continuing and
discontinuing service use
• Service availability
• Service performance
• Data security and privacy
• Disaster recovery processes
• Data location
• Data access
• Data portability
• Problem identification and resolution expectations
• Change management processes
• Dispute mediation processes
• Exit strategy
Network Design
: Segmentation
Network
Design :
Demiliterize
d Zone
(DMZ)
Network Design :
Virtual Local Area
Network (VLAN)
Network
Design :
Virtual
Private
Network
(VPN)
Network Design : Defense in Depth
Network
Design :
Network
Access
Control (NAC)
Deep Dive Defense in
Depth
• Data: Controls that protect the actual data with technologies such as encryption,
data leak prevention, identity and access management and data controls.
• Application: Controls that protect the application itself with technologies such as
data leak prevention, application firewalls and database monitors.
• Host: Every control that is placed at the endpoint level, such as antivirus, endpoint
firewall, configuration and patch management.
• Internal network: Controls that are in place to protect uncontrolled data flow and
user access across the organizational network. Relevant technologies include
intrusion detection systems, intrusion prevention systems, internal firewalls and
network access controls.
• Perimeter: Controls that protect against unauthorized access to the network. This
level includes the use of technologies such as gateway firewalls, honeypots, malware
analysis and secure demilitarized zones (DMZs).
• Physical: Controls that provide a physical barrier, such as locks, walls or access
control.
• Policies, procedures and awareness: Administrative controls that reduce insider
threats (intentional and unintentional) and identify risks as soon as they appear.
Zero Trust
• Zero trust is an evolving design approach which
recognizes that even the most robust access
control systems have their weaknesses. It adds
defenses at the user, asset and data level, rather
than relying on perimeter defense. In the
extreme, it insists that every process or action a
user attempts to take must be authenticated and
authorized; the window of trust becomes
vanishingly small.
• While microsegmentation adds internal
perimeters, zero trust places the focus on the
assets, or data, rather than the perimeter. Zero
trust builds more effective gates to protect the
assets directly rather than building additional or
higher walls.