Cybersecurity_Security_architecture_2023.pdf

1. Fundamental security principles
TABLE
of contents
2. Skills to be a security architect
3. How to design secure infrastructure
5. Cybersecurity programme (CSP)
6. Security controls
7. Physical security
4. Security standards and frameworks 8. Network security

Security Architecture
Security principles, methods and models
designed to keep your infrastructure safe,
security design that addresses potential
risks,
overall system required to protect your
infrastructure,
security controls, policies, procedures, and
guidelines.
building security into system design,
implementation and deployment.

Traditional vs defensible approach
Traditional security architecture
The focus is on hardening systems against potential
risks and on perimeter-based network security.
“Castle and moat model*” - the objective is to keep
the intruders out, and the supposition that
everything inside the network is safe.
Defensible security architecture
Ongoing process of adapting security controls and
procedures, based on the current risks and threats.
It is based on the implementation of fundamental
security principles such as zero trust. It is about the
design of infrastructure and applications resilient
under attack
*"Castle-and-moat" - network design where the organization's
network is seen as a castle and the network perimeter as a
moat. Once the drawbridge is lowered and someone crosses it,
they have free rein inside the castle grounds. Image source: https://www.compact.nl/articles/zero-trust-beyond-the-hype/
Image source: https://www.clouddirect.net/a-beginners-guide-to-zero-trust/t
Trusted
Untrusted

OBJECTIVES
Provide continuous monitoring
and logging to detect anomalies.
DETECT
Apply security controls to
prevent the risk. Harden and
isolate systems.
PREVENT
Understand the system and its
operation, the context and
potential risks.
IDENTIFY
Respond to security incident,
investigate system, run analysis,
and inform stakeholders.
RESPOND
Update security policies, and
procedures, and prepare
guidelines, and documentation.
RECOVER
SECURITY
DESIGN
RECOVER
IDENTIFY
RESPOND
DETECT
PREVENT

Ingredients of Happiness
Impact
Vulnerability Threat
RISK
RISK = Likelihood x Impact
Likelihood = Threat x Vulnerability
RISK - Focus of security
Security is about managing risk to the critical assets.
Risk is the likelihood of a threat touching a
vulnerability in the system.
The key is understanding what is critical and high risk
to your organisation and how to reduce it.

Non-actor driven
Threats
Actor driven
natural disaster
errors in systems (bugs)
human error (accidents, negligence)
Usually unintentional, a result of negative outcomes
from operations. Caused by:
Usually deliberate/intentional, caused by deliberate
actions from actors/groups.
Threat modelling
Strategically thinking about what can go wrong.
SET OBJECTIVES
What do we want to
accomplish?
PLAN
What are we
deploying?
IDENTIFY
THREATS
What can go
wrong?
MITIGATE
How to prevent
threats?
AUDIT
Did we succed in
previous steps?

FUNDAMENTALSECURITY
PRINCIPLES
Defence-in-depth
Multiple layers of
protection, if a level of
protection fails, the
subsequent level will
prevent an attack.
Zero trust
No person, device or
service can automatically
be trusted.
Least privileges
Only services and people
that need permissions,
will get them.
Separation of
duties
SPOC - no single point of
control, a single person
cannot do a compromise.
CIA triad
Cybersecurity is the
protection of
Confidentiality, Integrity
and Availability of
information in the
system.

Defence-in-depth
Any layer of
protection might fail
Integration of defence-in-depth means that multiple
levels of protection must be deployed and different
types of security controls (organisational, technical
etc.)
A single magical solution doesn’t exist.
An example: MFA + patches + firewall + IDS +
automatic penetration tests + data encryption

Zero trust
No asset or user is trusted.
You don’t automatically believe everything inside your firewall can be trusted.
All users should be authenticated (in or outside of an organisation network) - MFA if
possible.
Key principles: continuous verification, minimising the impact of a compromise if it
occurs, and granting access only if it is really needed.
The focus is on protecting resources, not network segments
See NIST SP 800-207: https://csrc.nist.gov/pubs/sp/800/207/final

Least privilege
The principle of least
privilege (POLP)
access means
granting a minimum
level of access rights
to users and services
to perform their
jobs.
Access rights are not permanent.
Revise assigned privileges regularly.
Hardening hosts is part of this approach
too: delete default accounts, and
uninstall/disable services that are installed
by default but not needed.
Don’t give users privileges on a “just-in-
case” you need them basis.

Separation of duties
No single point of control
No user should be given enough privileges to misuse the system.
Security measures to prevent fraud, misuse of information, and error.
SOD principle can be implemented by defining roles, by enforcing controls of
access, by two-person rule etc.
Example: two signatures required for a bank transaction, door with two locks and
single key for each lock, separate action in separate location...

CIA triad
CONFIDENTIALITY: Only authorised users should
be able to access the information
INTEGRITY: Make sure that data has not been
modified, and that it is accurate.
AVAILABILITY: Information should be available
when required.
This concept is part of ISO 27001, a global standard for
information security.
:

integrity
availability
confidentiality
integrity
availability
confidentiality
defence-in-depth principle
zero trust principle
separation of duties principle
QUIZ
Is unauthorised access to the information loss of
Web server is down when trying to access a website. Is this the loss of:
To access her mailbox, Alice has to use the company’s VPN and log in with her
username and password and OTP. Is this implementation of:

2 Preparation of reference architecture, definition of
the approach and required security controls
(topology diagram, definition of processes etc.)
Security architect
1 Based on risk assessment, security architect
defines the objectives of the information system.
4 Monitor the system, audit it, and review the
procedures, policies, and controls. Based on the
results, revise the architecture framework and
security controls.
3 Development of Security Solution Architecture
Define objectives
Create architecture plan
Create security solution architecture
Detect anomalies and revise
Security architect works to design, build, test, and implement security systems withing an organisation.

Core tasks
Develop security design for systems and
networks, taking into account the
fundamental security principles and
objectives of the organisation.
Define the scope of the information system, its
location, required services and what kind of
data will be processed.
Prepare security policies and procedures.
Prepare documentation on assets, risk
assessment and treatment, vulnerability
management etc.
Run risk assessment to identify critical
processes and services and apply security
controls that will reduce the risk.
Implement the information system.
Perform security reviews and audits.
Ensure staff training and security awareness.
Monitor the system and detect anomalies.
Review and revise.
Role of security architect

Use security principles and security
frameworks
Use visual charts to communicate info
more effectively.
Run risk assessment
Understand how a system works and how
it can fail, what are the critical services,
what is the highest risk, what are the
threats.
Prepare policies and system design
Based on the risk assessment, prepare
security controls, policies, procedures.
Implement and review
Prepare the system, implement it. After
the implementation, monitor the system
to detect anomalies and prevent
cybersecurity attacks. Constantly improve
the procedures and controls.
How to design
security
architecture
Security should be included in
the process from start to finish,
from design to production.
You cannot do security when
the service is in production, as
you cannot build an earthquake
proof builing after it is already
built.
1
2
3
4

Security models
Confidentiality, Integrity and
Availability as three crucial
components of security
Prepare - Plan - Design - Implement -
Operate - Optimise
The basis is lifecycle approach to
network design that improves
business agility and network
availability.
CIA TRIAD CISCO PPDIOO
Repetitive four stage model Plan - do
- check - act for continuous
improvement, considered as the
basis for quality control.
Also called Deming wheel or
Shewhard cycle.
PDCA

The context: understand the components of your system, and its objectives, address
shortcomings, and separate responsibilities, and understand the threat model.
Assess the risk to the organisation.
Identify the legal, regulatory, and contractual requirements your organisation must comply
with.
Design system: network segments, services, communication channels, authN and authZ
options.
Identify critical services and sensitive data.
Provide mechanisms for compromise detection (collect logs and monitor events).
Reduce attack surface, and reduce the impact of the compromise and failure.
Provide incident response plan.
Security design priciples

CYBERSECURITY
PROGRAMME
incorporates strategy of an organisation,
organisational policies, standards, how-tos,
procedures
based on experience, industry standards,
regulations, guidelines
built with the help of a security framework,
which is adapted to an organisation
Following a security framework is not enough, a
defensive strategy is needed to implement CSP
Specifically describes current and targeted
cybersecurity posture
identifies security gaps
identifies how to improve the security
demonstrates alignment with standards and best
practices
addresses the organisation‘s security risks and
their mitigation
Designs and implements security controls
Benefits of CSF:
A DEFENSIVE STRATEGY is a plan to achieve
organisational security objectives, based on risk
assessment, identification of cyber threats,
organisation’s assets, security controls, detection and
incident response procedures etc.

To implement security and
develop cybersecurity
programme.
Security frameworks
A security framework is a set of policies, guidelines, and best
practices designed to manage an organization’s information
security risks. As the name suggests, frameworks provide the
supporting structure needed to protect internal data against
cyber threats and vulnerabilities. (source: OneTrust)

When should an organisation implement Cybersecurity Programme?
when you have unclear roles and responsibilities for
information systems and data,
when you lack of work procedures,
when information is stored all over the organisation,
when dealing with low security awareness,
when no incident management procedures are in place
when there is no risk management defined,
when you lack formal policies and procedures.

also known as the 'ISMS Family of Standards' or 'ISO27K'
for short
international standard for information security,
cybersecurity and protection. Updated in 02/2022.
more than 100k organisation worldwide certified
organisation has to formalise procedures, security
policies, has risk assessment plan
ISO 27000 series
ISO27001 Specification of Information
Security Management System (ISMS)
ISO27002 Information security controls
ISO27005 Iso standard for information
security risk management
https://www.iso.org/standards.html

ISO 27001
Specification of Information Security Management System
(ISMS)
Security controls structure: Organisational, physical, and
technological controls
Controls’ attributes are either Preventive, Detective or
Corrective.
The new version released in 2022 - includes new security
controls (threat intelligence, security for use of cloud
services, business continuity, physical security monitoring,
data deletion/masking and leaking prevention, web filtering,
configuration management and secure coding.
93 security controls (before 114), some of them were
merged
Source: Advisera

Diamond model
The Diamond Model of Intrusion Analysis is a
framework for investigating and analyzing
cybersecurity incidents. Intelligence analysts
and computer security researchers developed
it to help understand and characterize cyber-
attacks. Valuable model for threat
intelligence.
adversary - what is the motive, why did the attack happen?
infrastructure: location of the attacker, the methods used to attack the target system, and the tools and
techniques employed.
victim = target of the attack, which was the security gap and what the potential impact of the attack on
the organisation.
capabilities: attacker’s methods and techniques, which vulnerability he/she exploited, which malware was
installed, how sophisticated the attack

NIST CSF
NIST SP 800 by the National
Institute for Standards and
Technology
Currently version 1.1. is in place, but
a Draft for CSF 2.0 Core is available
and you can provide comments
until Nov 2023
Based on 5 pillars: identify, protect,
detect, respond, recover
https://www.nist.gov/itl/smallbusinesscyber/planning-guides/nist-cybersecurity-framework

NIST CSF
NIST helps you answer the following questions:
How to categorise and protect your data?
How to conduct risk assessments?
How to prepare a security plan?
How to implement security controls?
How to measure performance and efficiency?
How to process data?
https://www.nist.gov/cybersecurity

CIS controls
known also as Critical Security Controls,
developed by Center for Internet security,
contain a set of actions for system cyber defense.
CIS controls are used to identify common exploits,
they provide recommendations on how to defend (safeguards),
are measurable,
each safeguard has a description (for small office, for large organization with IT, for
organization with security expert group).
See: https://www.cisecurity.org/

CIS controls
Source: https://www.sans.org/blog/cis-controls-v8

CIS benchmarks
more than 100 benchmarks/saveguards available, for network devices, operating
systems, software packages, cloud providers etc.
more than 25 vendor products included, such as Cisco, F5, Juniper.
many vendors implement CIS benchmarks (such as Nessus, OpenVAS etc.).
See: https://learn.cisecurity.org/benchmarks
How to translate a CIS safeguard
to action - configuration guidelines

ISA
Adoption of the NIST standards for the operating technologies (OT)
the organisation has to formalise procedures and security policies, has a risk
assessment plan
policies and practices that are suitable for industrial automated control systems
over 150 standards
ISA standards committees produce two types of related documents:
recommended practices (RP) with suggestions for applying a standard
technical reports (TR) as guidance for understanding a topic/standard.
a.
b.
See: https://www.isa.org/standards-and-publications/isa-standards

Cyber Security Kill Chain
reconnaissance
weaponisation
delivery
exploit
installation
C2 (command and control)
Actions
Cyber Security Kill Chain Intrustion model
explains the typical procedure that hackers
take when performing a successful cyber
attack. Developed by Lockheed Martin and
is derived from military attack models
This model is implemented by Mittre Att&ck and has 7
steps:
1.
2.
3.
4.
5.
6.
7.
Source: www.csoonline.com

Mittre Att&ck
security framework,
KB for cyber adversary behaviour based on real-world observations,
used by cybersecurity professionals to understand, analyze, and defend against cyber threats,
useful to plan for security improvements,
useful to understand security risks against known adversary behaviour.
tactics = initial access, execution, persistence, exfiltration
techniques: phishing, scripting, keys, encryption
KB organised into a matrix of tactics and techniques (goals and methodology):

COBIT
Control Objectives for Information and Related Technologies
good-practice framework made by ISACA
suitable for enterprises
See: https://www.isaca.org/resources/cobit

Information security related regulations in EU
The European General Data Protection Regulation (GDPR)
Digital future strategy
The Network and Information Systems Directive (NIS Directive)
Revision of the NIS Directive (New NIS2 Directive)
The EU Cybersecurity Act
The EU-Wide Cybersecurity Certification Scheme
A collection of all EC standards can be found here (=! regulation):
https://ec.europa.eu/info/files/security-standards-information-systems_en

Establish security policies
Use the documentation and templates, that are already available:
AARC Project: https://aarc-project.eu/policies/policy-development-kit/
WISE: https://wise-community.org/published_documents
How to put policies in place?

What kind of skills does a security architect need?
technical skills
management skills
risk assessment skills
communication skills
all above
Which security framework is most suitable for OT systems?
ISA
NIST CSF
COBIT
Which of the following security controls are added to the new
ISO27001:2022 standard?
Configuration management
Physical security
Human resource security
QUIZ

Is important equipment vulnerable?
Where can the equipment be used?
Who is responsible for maintenance?
Are policies in place for using equipment
that leaves the premises?
Physical security
Physical security is the protection of
personnel, hardware, software, networks and
data from physical actions and events that
could cause serious loss or damage to an
enterprise, agency or institution. This
includes protection from fire, flood, natural
disasters, burglary, theft, vandalism and
terrorism. (definition by Techtarget)
ISO27001:2022 includes physical and
environmental security controls to safeguard
information systems from physical threats. It
expands on the control related to safe areas to
cloud environments.
Also EC published its standard on physical and
environmental security, with the same focus as
ISO27k. Download here:
https://commission.europa.eu/select-language?
destination=/media/6775

Physical security - threats
Fire,
water damage,
destruction of equipment,
earthquakes,
failure of air conditioning,
loss of power supply,
remote spying,
eavesdropping,
What are the threats that physical security controls should tackle:
tempering,
disclosure,
unauthorised use,
corruption of stored data
theft
etc.

Physical security by ISO27k
Secure areas (including virtual/cloud): walls, card-controlled entry gates, physical security for offices, data
centres, protection against flood, fire, and earthquake, access control for secure areas, IAM etc.
Physical entry controls: CCTV surveillance, security guards, protective barriers, locks, perimeter intrusion
detection, policy on visitor management process etc.
Equipment security: protected from power failures, unauthorised usage, fire protection, clear policies for
removable storage media, and policies on data removal that are saved on the equipment.
Reuse of equipment: clear policy on data erasure and destruction
Protection against environmental threats: controls for monitoring environmental conditions, such as
temperature, humidity, air quality
ISO27001 includes the following categories of physical and environmental security controls:

Hardware Security
Place sensitive equipment in a well-protected zone
Monitor and restrict access to the equipment, both physical access
and software-based access.
Disable unused interfaces (physically, in BIOS, from OS) or
configure them in a restrictive manner, e.g. USB device whitelisting.
Power and communication cables must be protected
Hardware must be protected from physical and environmental threats
and from opportunities for unauthorised access.
secure hardware design,
access controls,
secure procurement process,
secure supply chain (shipping,
credentialing of all involved
participants etc.),
maintenance,
security of hardware off-
premises.
Hardware security includes:

Which is NOT part of ISO27k on physical security?
secure areas
physical access controls
reuse of equipment
fire procedure
`Is the following true or false?
Cloud equipment was only added to ISO27k standard in the
2022 release?
EC has no standards or guidelines on physical security?
Because of the remote work, organisations had to address the
use of equipment off-premises in their policies?
QUIZ

many network devices are not kept up
to date
many network devices are accessible
from external network
many network devices are accessible
via a password
network is not segmented, critical
services are not isolated.
Main problem:
Conceptual network design includes the identification of
all core components of the network architecture, to have
an overview of what the purpose of the network is.
Understanding the threats to your system is crucial.
What are the attack methods? And what are the
attacker’s objectives? Where is your critical data? Who
has access to it?
Network security
Objective of network security is to reduce
attack surface and provide isolation.
Since the network is the attack vector,
monitoring is crucial to detect (attempts
for) compromises
TO GET THE WHOLE PICTURE

Network segmentation
Secure channels (VPN)
Network access control
Security policy enforcement
Regulatory compliance
CIA triad
follow the least privilege rule and only provide
access to the system when it is necessary
define network segments based on the location of
sensitive data and critical services
KISS principle = keep it simple stupid
Guests should have access to the Internet, but not
to the internal network
Services and desktop users should be in different
subnets
Network design
NETWORK TOPOLOGY Network segmentation means that we split the
network into multiple segments/sub-networks by
using firewalls, VLANs, access controls or SDN.
PHYSICAL: how the nework is connected, how the data flows
LOGICAL: how services communicate, which protocols are used.
NETWORK DESIGN CONSIDERATIONS
Detect what you cannot
prevent.
How to segregate?

to ensure isolation
to improve performance (less congestion in network traffic
to reduce attack surface
to prevent single point of failure
to improve network monitoring
Why segregate?
additional costs
more chances for misconfigurations
increased complexity
multiple access policies to maintain
DO NOT SEGREGATE TOO MUCH
Multiple segments lead to:
https://www.zenarmor.com/docs/network-basics/network-segmentation

PUBLIC NETWORK - Internet, not under control of an
organisation
DMZ NETWORK - semi-public network, services that need
access to the internet (web, mail, DNS etc.)
MIDDLEWARE NETWORK - used to separate DMZ from
private network (filtered access, proxy servers),
PRIVATE NETWORK - internal services (sensitive information)
- only access from middleware network is possible
Firewall usually placed between public and other networks.
Also between DMZ and private network and also between
trusted zones.
Common network segments

Basics for network design
Allow internal users to access the internet,
services that require Internet access should be limited,
access to the internal services should be prohibited from the public networks, it should be
restricted to DMZ,
resources in public networks cannot be trusted,
a system that is visible from the Internet cannot contain sensitive data, sensitive services
need to be in a private network,
DMZ communicates with private networks via proxy,
apply zero trust principle in all segments,
apply defence-in-depth (segmentation + firewall(s) + IDS + attack mitigation software etc.),
databases and storage systems should not be accessible from the public internet.

Shut down/disable unused services and ports.
Use strong passwords and a well-defined
password change policy. If possible, disable
password login completely.
Control physical access to devices.
Use tools for automatic configuration, this ensures
a backup of your configuration.
Patch devices for security issues.
Implement defense-in-depth approach.
Perform security auditing.
Network attacks against devices
DoS
DDoS
packet sniffing
packet misrouting
SYN flood
TCP reset attack
Insider threat
Attacks against routers:
Attacks against
switches:
MAC Flooding
Brute force
Password Attack
DHCP Spoofing
and Starvation
STP Attacks
VLAN hopping
Telnet attack
CDP Manipulation
How to defend your network against these
attacks?

Account lock-out,
configure rate-limiting,
use the deny rule by default and only open the ports that are really necessary,
use packet filtering (looks into packet header and checks source and destination IP and port),
use stateful packet inspection (open header/envelope to see the context),
use proxies to ensure another layer of protection (MIM inspection),
use NAT for internal networks (local IPs that are not routable across the internet),
enable IP source verification (customer cannot spoof its IP address),
LPTS = local packet transport service - configure allowed settings (e.g. number of allowed ICMP packets,
number of TCP sessions etc.,
provide continuous monitoring,
defence-in-depth (multiple layers of security),
use VPN - it provides a secure channel over an untrusted network, encrypted packets (broad vs. application-
specific VPN),
DDoS protection (such as BGP Flowspec, which blocks ports that are part of a DDoS attack automatically).
use IDS/IPS.
How to prevent attacks from network?

Firewall - as a hardware appliance, as software inserted into a network device for other
purposes, or software firewall.
hw option is a router with a filtering ruleset, it increases privacy and reduces risks,
enforces the organisation’s security policy
IPS - Intrusion protection system
IDS - Intrusion detection system
PREVENTION
DETECTION
Network security devices

Firewall
Shortcomings
they cannot prevent attacks on
applications
encrypted traffic (e.g. VPN) might bypass
it
organisation sees firewall as sufficient
security control
if the traditional approach is in use, they
represent a single point of failure
Benefits
it enforces organisation’s security policy
it protects systems from incoming and
outgoing attacks
ingress and egress traffic filtering
filtering communication based on content
it encrypts communication
in stores logs about successful and
blocked traffic
in increases privacy
A firewall is just one of the technological security controls. To be secure, an organisation has to
apply a defence-in-depth principle, implementing multi-layer security. If one control fails, another
one is still in place to prevent a compromise.

serves as a detection system, it checks network traffic
IDS can be seen as an alarm system, not as a firewall
reports attacks against monitored systems
the alerts that are sent, are revised by human
it is deployed as a passive sniffer, captures traffic, detects
events of interest and sends alerts
it is placed in different points in the network
Intrusion detection system
NIDS = network IDS
Also HIDS = host intrusion detection system,
checks traffic to/from device and local file
changes
anomaly detection (relies on AI, it
understands what normal traffic is and
reports anomalies)
signature-based detection (detection of bad
patterns, malware) - has a db of patterns
reputation-based detection (reports
security events based on a reputation score
VARIANTS of
DETECTION:
Suricata
Snort
Zeek
Security Onion
Sguil
IDS SOFTWARE:
shallow packet inspection: checks header
(is limited)
deep packet inspection: inspection of all
fields, including variable-length
IDS process uses 2 methods of packet
inspection:

serves as a protection system
often combined with the NIDS in the same software
should be used in combination with a firewall and other
security controls
usually deployed right in front or behind the firewall, if
behind the firewall, it can also check internal traffic
rule-based approach
problem if there are false-positives and stop legitimate
traffic
Intrusion prevention system
NIPS = network IPS
Also HIPS = host intrusion protection
system, stops attacks at the OS level
Cisco IPS
Snort
Fail2ban
Zeek
SolarWinds
IPS SOFTWARE:
IPS =! FIREWALL
A firewall allows or denies traffic based on ports or the source/destination
addresses. IPS compares traffic patterns to signatures and allows or drops
packets based on any signature matches found.

Network Attack
mitigation software
Usually, physical appliances, deployed
between router and network firewall,
commercial solutions. Prevent DDoS attacks
(blackholes, scrubbing), brute force attacks,
syn flood attacks etc.
Arbor Edge Defense (AED) is an
inline security appliance deployed
at the network perimeter (i.e.
between the internet router and
network firewall).
F5 Silverline DDoS prevention
Radware Defense pro
EXAMPLES:

NETWORK SECURITY POLICIES
A network security policy (NSP) is a generic document that outlines rules for
computer network access, determines how policies are enforced and lays out some
of the basic architecture of the company security/ network security environment.
(Redhat)
policies should be defined because they make us
aware of how the system normally performs and
what is allowed.
policies can be enforced by firewalls, proxies,
IDS/IPS, and ACLs on switches/routers, on the
application level.
Account Management
Password policy
E-Mail policy
Security Incident Management
Log Management
VPN Acceptable Use
Server Security
Bring Your Own Device (BYOD) Agreement
Patch Management
Systems Monitoring And Auditing
Remote work policies
Vulnerability Management
Workstation Configuration Security
Useful security policies for your network:

IPv6 SECURITY
Organisations are transitioning to IPv6. Security considerations
encompass:
issues due to the IPv6 protocol itself,
o issues due to transition mechanisms, and
o issues due to IPv6 deployment.
See https://datatracker.ietf.org/doc/html/rfc4942
Internet Society offers links to useful articles and standards:
https://www.internetsociety.org/deploy360/ipv6/security/
IPv6 uses 128-bit internet addresses, it can
support 2^128 internet addresses. The
number of IPv6 addresses is 1028 times
larger than the number of IPv4 addresses

Benefits of IPv6:
Auto-configuration of IP-addresses (no more DHCP)
Built-in authentication and privacy support (IPsec is
part of the protocol suite)
No more private address collisions
QoS using the Flow Label field of the IPv6 header
Simpler header format
Better multicast routing
Simplified, more efficient routing
Flexible options and extensions
No more NAT (Network Address Translation)
IPv6 SECURITY
IPv6 is not more secure than IPv4 by itself.
Problems:
human error (IPv6 hardening not included
by default, only IPv4)
Lack of knowledge and experience about
IPv6
Ineffective Rate Limiting
Lack of IPv6 support at ISPs, service
providers and vendors
a host can have multiple IPv6 addresses
simultaneously, which is unusual in an IPv4 -
> problem for IDS/IPS
IPv6 is often enabled by default, without
knowing

DEFENCE-IN-DEPTH
Encryption
Where can we implement encryption?
Encryption in one layer means encryption in all
upper layers.
Application specific VPN
SFTP, SSH
TLS, SSL
IPSec
PPTP, L2PT, MACSec

OTHER NETWORK SECURITY CONSIDERATIONS
Network security policies
Policies are a translation of network requirements
into a set of rules. Policies should be defined, they
make us aware of how the system normally performs
and what is allowed.
Software defined network
The objective is to make the network as flexible and
as agile as a VM. SDN enables micro-segmentation
and decreases the exposure to system attacks.
Network access control
Security mechanisms include limiting physical
access to devices, security policies, user
authentication, device security, firewalls, proxies and
others.
KISS principle
A too-complex network design will be difficult to
manage. Find a compromise between the complexity
and usability.
01. 03.
02. 04.

Wireshark + tshark - network sniffer
Metasploit - scanners for more than 1500 operations
Nessus - identifies and corrects faulty updates
OpenVAS - checks configuration and basic web flaws
Argus - open-source network analysis tool
tcpdump - network sniffer
Kali linux - bootable Linux with multiple security and forensics tools
Snort - network intrusion detection and prevention system (traffic analysis)
Suricata - IPS
Netcat - utility that reads/writes data accross TCP/UDP network
connections
nmap
Traffic sniffers
Snort
tcpdump
Wireshark
dsniff (for switches)
Kismet (for wireless)
nmap
Network security tools

network traffic
syslog from devices
snmp for network devices
ntp (sync time across entire
network)
WHAT TO LOG?
Logging and monitoring
Use central logging
normalise and visualise logs
analyse daily operations and look into security events
that may be signs of an attack, apply
countermeasurements
collect snmp logs, ntp logs and network traffic logs
collect syslog from devices
Loki
ELK
rsyslog
syslog-ng
Graylog
Splunk
CENTRAL LOGGING

disable unused ports
unused ports can be put in a separate VLAN which is not
used
disable unused services (for instance http server is enabled
by default on Cisco devices)
use infrastructure ACLs - disable invalid traffic from external
network, eg. only allow web traffic for www, block everything
else (filter fragments)
use port security - port is configured for a specific MAC or
only certain range is allowed
limit remote access to console
Network device hardening
CISCO DEVICES:
passwords are not
encrypted by default
ssh version 1 by
default, change to
version 2
console password is
not set, do it
disable telnet (plain
text), only allow ssh
acces
limit access to
console

Are the following statements true or false?
The objective of network security is to reduce the attack surface.
It is not possible to implement defence-in-depth only on the network layer
NAT should be used for internal networks.
Security of network devices includes primarily physical security, remote access control and
environmental threats.
Cisco devices have SHA256 set as default password encryption.
Port Security feature can protect the switch from MAC flooding attacks and from DDoS.
Which access mode should be disabled on network devices, because it sends username and
password in plain text?
`Name at least three measures that apply to network security?
Explain at least 3 ways for hardening network devices.
QUIZ

Cybersecurity_Security_architecture_2023.pdf

More Related Content

Similar to Cybersecurity_Security_architecture_2023.pdf

More from abacusgtuc

Recently uploaded

Cybersecurity_Security_architecture_2023.pdf