[Author Name(s), First M. Last, Omit Titles and Degrees]
[Include any grant/funding information and a complete correspondence address.]
Network security is a means to assure that unauthorized access to assets in the network is prevented. This is vital if we have to protect the CIA triad of Information security, which is to protect the Confidentiality, Integrity and Availability of the data. Unauthorized access could violate one of more of the CIA triad’s principals. These unauthorized accesses also cause loss of accountability and nonrepudiation of actions. This paper examines the concepts of Network Security and its Best Practices, Technologies involved, Future trends and the Global implications.
Network Security Architecture
Networks typically consist of many different types of devices like communication devices, storage devices, I/O devices, OS and Software applications, data and services and so on. There are different types of networks; (1) Local Area Network, which is a network over a relatively small area, (2) WAN, which is a network that connects devices over a long distance, (4) VLAN, which is a virtual LAN, (5) MAN, which is Metropolitan Area Network. MANs usually use a high capacity backbone to connect different WANs and LANs. If two different LANs are connected using a router, then it becomes Internetwork whereas if they are connected using frame relay or Asynchronous Transfer Mode data link layer technologies, they will become part of a WAN.
Most networks use OSI as a reference model. OSI has seven layers; Application, Presentation, Session, Transport, Network, Data, and Physical Layers. A TCP/IP model would map the first three layers of OSI to its top layer and call it Application layer, the OSI transport layer is mapped to TCP/IPs Host-to-Host layer, OSI Network layer is mapped to TCP/IP Internet layer and OSI Data link and Physical layers are together mapped to TCP/IP Network Access layers. Most proprietary models can be mapped to OSI model as they use it as a reference to develop their protocols so that they can be interoperable.
Attacks can happen to target a network (denial of service) or use the network as a channel (propagating a virus). Different devices work at different layers; computers can process data at all seven layers, routers work up to the network layer, switches, bridges work at the data link layer, and repeaters work at the physical layer. While transmitting data, each layer adds a header and a trailer information that helps it traverse the network to reach another device, before passing the message or data to the next layer. This process is called encapsulation. The reverse happens when the message is received and is called de-encapsulation.
TCP/IP is a suite of protocols that regulates the data transmission and reception between two devices in a network. IP (Internet Protocol) is a connectionless protocol, which supports addressing and packet routing and works at the network layer. TCP, which works at the transport layer, is a connection-oriented protocol and is reliable, which means that it has error detection and correction, flow control and congestion control abilities. UDP is another protocol that works at the transport layer and is a connectionless, best-effort protocol. TCP uses SYN/ACK packets to setup a connection after a handshake process. This is an attack vector.
The SYN packets can have a spoofed address of a target system causing SYN flood, which is a type of DoS (denial of service), which can be mitigated by using SYN proxies. By predicting the TCP sequence numbers, an attacker can hijack the TCP connection between two systems and this exploit is called TCP session hijacking. Layer 2 devices pass data (called frames) from one to another and this traffic is susceptible to attacks. Cabling is a very important part of networking and it is imperative to use the right type of cabling for the intended use. Improper cabling can lead to Noise (due to surrounding devices), Attenuation (due to excessive lengths), and Crosstalk (due to cables being tangled).
The Networks can have Ring, Bus, Tree, Mesh and Star Topologies and the topology determines the physical or logical arrangement of computers and devices. Media Access technologies work at the data link layer and deal with how they communicate with each other. Ethernet, Token Ring, FDDI are media access technologies used to share resources. ARP is a network protocol used to get the routing information from ARP routing cache tables and attackers can poison it by altering it. DHCP is used to assign a resource IP address automatically when it boots up. Both the client and server side can be spoofed to get access to other resources in the network. DHCP snooping on network switches will enable DHCP servers to assign addresses to selected devices based on their MAC addresses. ICMP (Internet Control Message Protocol) delivers messages, reports errors, and miscellaneous messages, out of which ping is an example. By subverting the ICMP, attackers can redirect traffic. By sending larger sized ICMP packets, they can cause a network to freeze due to ping of death. They can cause Smurf attacks by spoofing the source address of the ICMP echo request, or cause a Fraggle attack by using UDP.
DNS is used to resolve IP address to domain name. DNS poisoning (altering this mapping), DNS Spoofing (send false responses to a requestor before the real response is received), hyperlink spoofing, or hijacking the entire domain’s resolution details so that they can be used for DoS are also possible attacks and these can be mitigated by using DNSSEC in conjunction with stronger authentication methods. Wormhole attacks can be used to grab packets, like an authentication token, from one location and tunneling them to another location and this can be mitigated by using geographical or temporal leashes. Email spoofing, phishing and other social engineering practices can cause great loss and the only way to mitigate this would be by education.
Network Components – Hardware
Repeaters, Bridges, Routers, and switches are network components. Repeaters work at the physical layer to extend the network by repeating the signals and reduce the attenuation. Hubs are multiport repeaters, which broadcast all the signals that it receives to all the devices that are connected to it. A Bridge works at the data link to connect LAN segments and hence works with MAC addresses. Local Bridges connect local LAN segments, remote Bridges connect remote LAN segments and translation Bridges connect LAN segments that use different protocols. Since Bridges forward all traffic received, one has to be careful about broadcast storms. Routers work at the network layer, can work on the IP address, and can connect similar or dissimilar networks. They can fragment data, use Access Control Lists to filter data and calculate best routing paths. A Switch combines the functionality of a Bridge and Repeater. There are Layer 2, 3 and 4 Switches called multilayered Switches and they have more functionality and hence used to create VLANs, which are logical LANs on top of physical LANs.
Gateways are used to connect two different environments like different Email Systems one using exchange and the other some proprietary mail system or different networks, one using Ethernet and the other Token ring.
Firewalls are a very important part of the network security and are often used to create a DMZ (Demilitarized zone), which is a buffer zone between the internal network and an external network, often the internet. Firewalls can be of five types:
Packet filtering – The firewall has Access Control Lists and it will read the protocol header information to base its decision to allow the packet
Stateful – This firewall has a state table to keep track of traffic and evaluates based on ACLs and the context
Proxy – It stands between trusted and untrusted network and makes the connection in their place so that there is no direct communication between the two networks. Proxy firewalls can be an application-level proxy, which works at the application layer or circuit-level proxy, which works at network-level.
Dynamic Packet Filtering – When an internal device wants to communicate with an external device, these firewalls create ACLs to allow the external device to respond to it using one of the ports higher than 1023.
Kernel Proxy – This creates a dynamic virtual stack of the protocol that it is trying to evaluate and checks all layers of the incoming message to discard unsafe packets.
Dual or multi-homed firewalls are used to setup different DMZs by having more than one network interface card and connect to multiple LAN segments. A Screened host is a firewall architecture that employs both a bastion host (hardened system) a packet-filtering router. A screened subnet uses an external firewall to filter traffic, which is again filtered by the internal firewall, creating a DMZ.
Network Security Best Practices
Attacks on the network can be of various types. Spamming, Viruses, Denial of service, Password guessing, Worms, Backdoor, Sweeper, Sniffer, Packet Forge Spoofing, IP Spoofing, and Trojan Horses are just a few of the methods that attackers use. The following best practices are recommended for an organization to follow to secure their network.
Owners are identified for all networks and key tasks are given to those who are capable of performing them.
Separation of duties is implemented (for example, the staffs who design and develop the network are not those who run the network). NDAs are signed by all staff, documentation is improved and automation is used to reduce reliance on key personnel, segregation of duties implemented to reduce the chance of theft or fraud, and thorough background checks are performed for applicants.
The network should be designed keeping in mind current and future traffic requirements, compatibility with other networks with which it interfaces. It should integrate standards that are used organization-wide (for example naming conventions), minimize single points of failure, use DMZs, reduce entry points, prevent unauthorized access by restricted persons and devices, and usage of strong encryption.
The network should be fault tolerant and fail safe with enough fall back options and multiple redundancies in case of a failure.
Software patches for all devices are applied in a timely manner.
Firewalls should be monitored for vulnerabilities and should be able reroute traffic to alternate firewall in case of a failure.
Documentation about the network should be clear, up-to-date, reviewed thoroughly by supervisors and be readily accessible by authorized personnel.
Proper SLAs are defined for services providers and contracts should be signed which reflect the SLAs. This is to ensure that there is a continuity of service even in case of a disaster.
Network devices have to be configured as follows –
Default action should be to deny traffic and fail securely
Log events on a bastion host (hardened system)
Copy and backup log information at regular intervals
Strong authentication mechanism should be used to control access for personnel and devices and should support accountability and non-repudiation
Passwords are transmitted in an encrypted form and stored in an encrypted and salted form
Source routing should be disabled
Any services that are not used should be disabled (RPC, rexec and so on)
Verifying the source and destination routing information using OSPF or RIP
Encrypting the routing information and protecting the exchange using strong passwords
Verify the configuration settings periodically
Firewall standards and procedures should be documented. This should include information about the specific IP addresses, ports and specific types of sources that are blocked. The firewall should be able to check the destination IP address, Ports, State of the communication, and validity of the service (by using, for example, an application proxy firewall).
Firewalls should be configured to deny traffic by default. They should protect these protocols, as they are prone to abuse – FTP, RIP, SMTP, DNS, UUCP and Telnet. They should properly examine the network packets like ICMP, TCP Echo and others as they are used for denial of service activities. They should deny any incoming traffic that has spoofed source address (external traffic having internal source address) and outgoing traffic with spoofed destination address (an unknown source address originating from within the network – this will prevent the network from being used for staging attacks on other networks). The rules should be based on least access, they should be documented and kept up-to-date, and should have been developed by trusted persons and approved by supervisors. The network information should be hidden by using Port address translation and Network address translation.
External access to the network should be restricted and all connections should be identified. Connections should be restricted to authorized personnel and devices that are approved by the network owner. All accesses should be logged and access should be promptly removed when the need is no longer there. The access should be for specific areas, only through specific entry points, and should be verified everytime. Manual and automated audits should be performed to remove connections whose authorizations have expired. Dial-up connections should be checked using dial-back and call forwarding should be disabled. Authentication should be done using systems like RADIUS or TACACS+. Kerberos can be used to provide authentication for client/server applications.
Wireless access should be approved by the owner only after a thorough risk analysis is done. The procedure for configuration of wireless access points and their placement should be documented. Proper authentication has to be used (WEP or WPA2) to protect information and the keys should be changed periodically. Periodic checks have to be performed using network detectors to identify and remove unauthorized access points. Wireless access points should have unique SSIDs and none of them should be the default SSID.
The network performance should be monitored using automated software and any changes investigated. Hosts and Network devices should be scanned for any vulnerabilities using software (NESSUS, SATAN or Pingware). Network discovery tools should be used to check for any unauthorized systems in the network. Intrusion detection and prevention systems should be used to detect and prevent intrusion.
The network should be well protected from natural hazards and intruders. The physical access to devices should be restricted and logged. Backups should be frequently performed and transported offsite. Security awareness training should be provided to all the employees, vendors and clients.
The global trends for enterprise network security are as follows:
There will be more security breaches and they are harder to stop. Software as a service, Infrastructure as a service, hybrid clouds, and personal clouds all indicate that the cloud technologies are going to dominate. The network security has to adapt to this new reality. Data center virtualization, Software defined network and storage are becoming prevalent. This leads to extensive use of APIs and these are vulnerable entry points to the network. Industrial Control systems and Internet of things are going to the next targets for cyber attacks due to their increased proliferation and if they are compromised, they can cause huge losses and inconvenience to the public. Wireless is increasingly replacing the wired network and network bandwidth continues to increase. Large networks can benefit by using Big data analytics to derive meaningful findings out of the staggering amount of data that is being collected.
Bragg, R. (2002). CISSP Training Guide. New York: Pearson IT Certification.
Eric Cole, R. L. (2008). Network Security Fundamentals. New Jersey: John Wiley & Sons, Inc.
Forum, I. -I. (2007). The Standard of Good Practice for Information Security. Surrey: www.securityforum.org.
Harris, S. (2013). All In One CISSP Exam Guide. New York: Mc Graw Hill.
Hutton, P. (2015, January 2). 8 big enterprise network infrastructure and security trends for 2015. Retrieved from Memeburn: http://memeburn.com/2015/01/8-big-enterprise-network-infrastructure-and-security-trends-for-2015/
James M Stewart, M. C. (2012). CISSP Study Guide. Indiapolis: Jihn Wiley & Sons. Inc.
Miller, D. R. (2013). CISSP Training Kit. Sebastopol: O' Reilley Media with permission from Microsoft.
MIT. (2015, June 1). Kerberos: The Network Authentication Protocol. Retrieved from Massachusetts Institute of Technology: http://web.mit.edu/kerberos/
Stefanek, G. L. (2002). Information Security Best Practices: 205 Basic Rules. Burlington: Butterworth and Heinmann.
Vines, D. L. (2003). The CISSP Prep Guide: Gold Edition. Indianapolis: Wiley Publishing Inc.