Networks are at the core of our organizations, transferring data and supporting the services that we rely on to conduct business. That makes them a key target for attackers and a crucial layer in defensive architecture and design.
Defense in Depth is a security framework that embraces the design policy of multiple layers and controls of security simultaneously in play.
This allows the failure of one control/layer without worrying about a data breach. 🧬The OSI Model
OSI stands for Open Systems Interconnection; it was developed to help vendors create interoperable network devices and software in the form of protocols, or standards, so the different networks could become more compatible and work better together.
The central purpose of the OSI model is to allow different networks to interoperate, or work in conjunction with one another, smoothly.
📶Network Segmentation
Maintaining security in the network can be made easier by segmenting the network and controlling access from one segment to another.
Network Segmentation can be done at several layers of the OSI model. One of the biggest reasons for implementing segmentation is for security purposes.
Network segmentation divides a network up into logical or physical groupings that are frequently based on trust boundaries, functional requirements, or other reasons that help an organization apply controls or assist with functionality.
📚 Virtual Local Area Networks (VLANs)
VLANs are used for network segmentation; They can also prevent connections between systems that are connected to the same switch. They can also be used to organize users into common networks regardless of their physical location.
🪖Screened Subnet (DMZ) (Perimeter Network)
Screened Subnets, or DMZ (Demilitarized Zones) are network zones that contain systems that are exposed to less trusted areas.
Public traffic is vetted in the Screened Subnet before entering the internal network. DMZs are commonly used to contain web servers or other Internet-facing devices but can also describe internal purposes where trust levels are different.
🌐 Intranet
Intranets are internal networks set up to provide information to employees or other members of an organization, and they are typically protected from external access.
🌎 Extranet
Extranets are networks that are set up for external access, typically by partners or customers rather than the public at large.
An extranet is a private network that enterprises use to provide trusted third parties -- such as suppliers, vendors, partners, customers and other businesses -- secure, controlled access to business information or operations. 🚫Zero-Trust
The Zero Trust concept supports least privilege. It describes that when a resource is created, the default permission should be No Access. It also means that when configuring ACLs on routers, all traffic should be blocked by default and only specific traffic allowed.
No one is trusted (Internal and External); Zero-Trust includes security between systems and security on the outer extremities. 🧭East-West Traffic
In today’s data centers, much of the data flows are between servers, sometimes called East-West traffic. Since the data often stays inside the data center and is server to server, the access switches provide high-speed, low-latency local interconnections between the servers. Traffic between systems in the same security zone move left and right between them—thus “east and west” as you would see on a map. Designing security solutions that can handle east-west traffic is an important part of security within network segments. Describes intersystem communication in the same datacenter.
⚖ Load Balancing
Load Balancers are used to distribute traffic to multiple systems, provide redundancy, and allow for ease of upgrades and patching.
Load Balancers are typically used for web service infrastructure to evenly distribute network loads over multiple servers. You can accomplish this on a network by installing multiple, redundant links to ensure that network traffic is spread across several paths and to maximize the bandwidth on each link.
Think of this as similar to having two or more different freeways that will both get you to your destination equally well—if one is really busy, just take the other one. Load balancers rely on a variety of scheduling or load-balancing algorithms to choose where traffic is sent to. Here are a few of the most common options: Round-robin sends each request to servers by working through a list, with each server receiving traffic in turn. It evenly distributes incoming traffic across servers in a sequential manner. This method is easy to implement, but it doesn't take server load or capacity into account. Least connection sends traffic to the server with the fewest number of active connections. This method ensures that new requests are evenly distributed across the servers, considering their current workload. It is effective in balancing traffic based on the actual load on each server, ensuring a more equitable distribution. Agent-based adaptive balancing monitors the load and other factors that impact a server's ability to respond and updates the load balancer's traffic distribution based on the agent's reports. It involves deploying specialized software agents on individual servers or resources to monitor their workload, performance, and availability. These agents communicate with a centralized load balancer to facilitate dynamic workload distribution based on real-time conditions. Source IP hashing uses a hash of the source IP to assign traffic to servers. This is essentially a randomization algorithm using client-driven input. IP hashing ensures that requests from the same IP address are consistently routed to the same server, maintaining session persistence and stateful connections. This helps maintain session persistence and allows applications to maintain session state information, such as shopping carts, login sessions, or user preferences. There are two main modes of operation for a load balancer:
♻️Active/Active
Active/Active load balancer designs distribute the load among multiple systems that are online and in use at the same time Two or more servers aggregate the network traffic load, and working as a team, they distribute it to the network servers If one of your servers goes down, performance will decrease from the user’s perspective because their used to unknowingly having two active simultaneous servers. 🚦Active/Passive
Active/Passive load balancer designs bring backup or secondary systems online when an active system is removed or fails to respond properly to a health check. This type of environment is more likely to be found as part of disaster recovery or business continuity environments, and it may offer less capability from the passive system to ensure some functionality remains. The primary load balancer distributes the network traffic to the most suitable server, while the second load balancer operates in listening mode to constantly monitor the performance of the primary load balancer and is ready at any time to step in and take over the load balancing duties should the primary load balancer fail. You maintain uninterrupted service for your customers.
🎮Virtual IP Address
A Virtual IP Address is the address that a load balanced cluster of real servers is accessed from, it’s the address presented to connecting clients.
Client workstations do not know that the virtual IP is actually multiple computers.
It is the front-facing IP address used for the load-balancing instance. For example, multiple web servers may share the same IP address, allowing them to distribute requests across multiple machines. This is useful for load balancing and redundancy, A "high availability" server, for instance, may have a single IP address shared by two separate computers. 🚂Persistence
Persistence means that a client and a server continue to communicate throughout the duration of a session.
This helps servers provide a smoother experience, with consistent information maintained about the client, rather than requiring that the entire load-balanced pool be made aware of the client's session. By having load balancers cache information about each client that access their servers, they’re able to create persistent sessions which a smoother experience for users.
🕵🏾Virtual Private Network
A Virtual Private Network (VPN) is a way to create a virtual network link across a public network that allows the endpoints to act as though they are on the same network.
✌🏾 Two major VPN technologies in use in modern networks
🔐IPsec
IPsec VPNs operate at layer-3, require a client, and can operate in either tunnel or transport mode. IPSec VPNs are often used for site-to-site VPNs, and for VPNs that need to transport more than just web and application traffic.
AH + ESP used in conjunction results in integrity and authentication of the header. Authenticator Header (AH) The AH protocol provides a mechanism for authentication only. AH provides data integrity, data origin authentication, and an optional replay protection service. Encapsulation Security Payload (ESP) The ESP protocol provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection). ESP can be used with confidentiality only, authentication only, or both confidentiality and authentication. Tunnel mode allows the entire data packet to be encrypted. Client Mode only encrypts the payload that lies inside the data packet. Site-to-Site VPNs allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive wide area network (WAN) connections like Frame Relay. Authentication and encryption for every packet. 🌐SSL/TLS
SSL/TLS VPNs can either use a portal-based approach (typically using HTML5), where users access it via a web page and then access services through that connection, or they can offer a tunnel mode like IPSec VPNs.
Enables end users to securely access resources on the corporate network from anywhere using an SSL/TLS-enabled web browser. They need no remote access client to do this, only a browser that can perform SSL or the more secure TLS. HTML5 VPN is where users access it via a web page and then access services through that connection Doesn’t need any big VPN clients it’s not incredibly complex, Just need a 2FA method. Create a VPN Tunnel without a separate VPN application. Supports application programming interfaces and includes a web cryptography API SSL VPNs also provide the ability to segment application access, allowing them to be more granular without additional complex configuration 🍨Split tunnel vs Full tunnel
Split Tunnel vs. Full Tunnel
When a client-to-site VPN is created it is possible to do so in two ways, split tunnel and full tunnel. The difference is whether the user use the VPN for connecting to the Internet as well as for connecting to the office. Split Tunneling works by using two connections at the same time: the secure VPN connection and an open connection to the Internet. So in split tunneling, only traffic to the office goes through the VPN. Internet traffic does not. The security issue with this is that while the user is connected to the VPN, they are also connected to the most untrusted network, the Internet. Full Tunneling all traffic goes through the VPN, which means the user is accessing the Internet through the connection of the office and so all traffic will be examined by the office security
📡Remote Access vs 🏢 Site-to-Site
Remote-Access VPNs are most frequently used in an as-needed mode, with remote workers turning on the VPN when they need to connect to specific resources or systems, or when they need a trusted network connection.
Client-to-Site VPNs or Remote Access VPNs allow remote users like telecommuters to securely access the corporate network wherever and whenever they need to go from any device that has the VPN client correctly installed and configured on it. Individual User Connection: Each remote user establishes an individual VPN connection to the organization's network.
Site-to-Site VPNs allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive wide area network (WAN) connections like Frame Relay. This is probably the best solution for connecting a remote office to a main company office because all traffic that goes between the offices will be encrypted with no effort on the part of the users.
Since site-to-site VPNs are typically used to extend an organization's network, they are frequently Always On VPNs, meaning that they are connected and available all of the time, and that if they experience a failure they will automatically attempt to reconnect. It establishes a secure and encrypted connection between the network gateways of different locations, enabling secure communication between the networks. Client-to-site VPNs focus on providing secure remote access for individual users, while site-to-site VPNs establish secure connections between networks or sites, allowing them to communicate with each other.
2️⃣Layer-2 Tunneling Protocol (L2TP)
Protocols often used in conjunction to provide strong encryption and authentication.
Used together, L2TP and IPsec are much more secure than PPTP (Point-to-Point Tunneling Protocol) but are still more suited for anonymization than for security. L2TP (Layer-2 Tunneling Protocol) sometimes has problems with firewalls because of its use of UDP port 500, which some firewalls have been known to block. L2TP was created as a direct upgrade to PPTP. Connects over a layer-3 network IPsec (Internet Protocol security) is a very flexible protocol for end-to-end security that authenticates and encrypts each individual IP packet in a given communication. IPsec is used in a wide range of applications at the Internet Layer of the Internet Protocol suite.
📖DNS Network Security
Doman Name System Security Extensions (DNSSEC)
DNSSEC focuses on ensuring that DNS information is not modified or malicious.
DNSSEC doesn’t provide Confidentiality though. DNSSEC uses digital signatures, allowing systems that query a DNSSEC-equipped server to validate that the server's signature matches the DNS record. Digital Signatures: DNSSEC uses cryptographic digital signatures to sign DNS resource records. These signatures are created using public-key cryptography and are associated with specific DNS records, such as the address (A) record or the start of authority (SOA) record. Can be used to build a chain of trust for IPSec keys and SSH Fingerprints
🔌Port Security and Port-Level Protections
Port Security is a capability that allows you to limit the number of MAC addresses that can be used on a single port.
😅Problems avoided due to Port Security
MAC (hardware) address spoofing, content-addressable memory (CAM) table overflows, unwanted network intrusions.
CAM Table maps MAC addresses to IP addresses, allowing a switch to send traffic to the correct port. If a port lacks a entry on the CAM table, the switch will default to flooding traffic out all ports to query a response from the correct MAC. Flooding the switch makes otherwise inaccessible traffic visible on their local port. Configuring port security can help prevent attackers from easily connecting to a network if NAC is not available or not in use CAM tables are used by switches to dynamically learn and store MAC addresses of devices connected to each switch port. When a device sends a frame to the switch, the switch examines the source MAC address in the frame and adds an entry to the CAM table associating that MAC address with the corresponding switch port. MAC Address Spoofing Port security can be configured on network switches to only allow specific MAC addresses to access the network through a specific port. This can prevent an attacker from being able to connect to the network and perform a MAC spoofing attack. By enforcing port security and explicitly allowing only authorized MAC addresses to access switch ports, MAC spoofing attacks can be mitigated effectively. Unauthorized devices attempting to impersonate legitimate devices by spoofing their MAC addresses will be prevented from gaining access to the network Unwanted Network Intrusions A NAC system can deny network access to noncompliant devices, place them in a quarantined area, or give them only restricted access to computing resources, thus keeping insecure nodes from infecting the network. 🧱 Port security — Protocol-level protections
➰Loop Preventions
Loop Prevention focuses on detecting loops and then disabling ports to prevent the loops from causing issues.
🌳STP (Spanning Tree Protocol) blocks redundant links between any two network devices and leaves a single active link between them to eliminate loops. STP will often put a switch in convergence mode, where it will begin examining what interfaces are available, and what interface are not available based on this particular outage. If an interface becomes unavailable, STP will administer a different path to allow traffic to keep flowing. 💂🏾♂️BPDU (Bridge Protocol Data Unit) Guard
A Bridge Protocol Data Unit (BPDU) is a data message transmitted across a local area network to detect loops in network topologies. A BPDU contains information regarding ports, switches, port priority and addresses. BPDU Guard is a security feature found in multiple networking devices. It helps to prevent attacks on a network by blocking Bridge Protocol Data Units (BPDUs) that are sent from unauthorized devices. Unauthorized BPDUs can be used to get internal information about a switch, so using a BPDU Guards prevents unauthorized BPDUs from being delivered. If an unauthorized switch or bridge is connected to a port, it may send its own BPDU messages, potentially causing network disruptions and spanning tree topology changes that can lead to loops. It uses this information to configure and maintain spanning tree topology. ⛈️Broadcast Storm Prevention
A broadcast storm occurs when a loop in a network causes traffic amplification to occur as switches attempt to figure out where traffic should be sent.
Preventing broadcast storms relies on several features such as offering loop protection on ports that will be connected to user devices, enabling STP on switches to make sure that loops are detected and disabled, and rate-limiting broadcast traffic.
STP is a very common protocol to avoid broadcast storms. If no loop avoidance schemes are put in place, the switches will flood broadcasts endlessly throughout the internetwork.
👀DHCP Snooping
DHCP Snooping focuses on preventing rogue DHCP servers from handing out IP addresses to clients in a managed network.
Someone could plug in an unauthorized DHCP Server into a switch that was not to be on the network, thereby creating either a denial of service situation, or a potential security issue.
DHCP Snooping is capable of the following:
DHCP snooping drops messages from any DHCP server that is not on a list of trusted servers. This list of trusted devices (may have routers, switches, and other DHCP servers) would be configured by the network admin. Anything explicitly put on the ‘Do Not Trust’ list or not mentioned on the ‘Trusted List’ would be denied. DHCP snooping also have the ability to block DHCP messages where the source MAC and the hardware MAC of a network card do not match. Declining a DHCP offer if the release or decline does not come from the same port that the request came from, preventing attackers from causing a DHCP offer or renewal to fail.
💿MAC (Media Access Filtering) Filtering
MAC Filtering allows the administrator of this device to either allow or disallow traffic based on the Mac address (Hardware address) that’s communicating through the network.
Used to configure your switch to allow communication for all of the devices that are on the inside of your network. Meaning any foreign or rogue device that’s plugged into the switch will not be granted network access based on the MAC address not being present in the MAC address table. Not really considered a security feature because anyone could connect to the network, they could listen, and collect a list of all of the MAC addresses that are allowed on the network, and then simply change their MAC address to match one of the MAC addresses that’s allowed.
🚧Network Access Control (NAC)
What is NAC?
NAC technologies focus on determining whether a system or device should be allowed to connect to a network. If it passes the requirements set for admission, NAC places it into an appropriate zone.
👮🏾Agent NAC
Agent NAC refers to NAC software agents installed on computers to provide greater detail about any machine wanting to connect to a network.
Software agents typically have a greater ability to determine the security state of a machine by validating patch levels, security settings, antivirus versions, and other settings and details before admitting a system to the network 🤖Agentless NAC
Agentless NAC refers to the NAC process being agentless and running from a browser or by another means without installing software locally.
Agentless installations are lightweight and easier to handle for users whose machines may not be centrally managed or who have devices that may not support the NAC agent. This comes at the cost of providing less detail about the machine wanting to connect.
🛰️Out-of-Band Management
Out-of-Band Management provides a secure dedicated alternate access method into an IT network infrastructure to administer connected devices and IT assets without using the corporate LAN.
Since most devices are now managed through a network connection, modern implementations use a separate management VLAN or an entirely separate physical network for administration. A Separate Network-based management plane is often the Go-to for most network admins due to speed and accessibility. Physical access to administrative interfaces is another form of Out of Band Management. Reserved as a last resort for emergency situations because it’s often too time consuming to drive to the location, plug the hardware, and authenticate across the equipment.
⇶ Network Security Appliances
There are many different types of network appliances to consider for security purposes.
Special-purpose hardware devices, virtual machine and cloud-based software appliances, and hybrid models in both open source and proprietary commercial versions are used by organizations.
Four Types of Network Security Appliances
Hardware
A Physical firewall device or firewall hardware is defined as an appliance that sits in-between the uplink and the client system and filters what traffic gets through based on pre-configured security policies, user profiles, and business rules.
Hardware firewall is most often used by enterprises that need a higher level of security for all users and devices, and for safe connection to vital company data in any environment. Software
A Software firewall is a host-based firewall that is installed on a computer or server, and tasked with network security. It works with a wide variety of other technology security solutions to provide more robust and cohesive security for enterprises of all sizes.
It makes setting security policies much easier, faster and more flexible. Requires very little space (as a computer program), and can be installed remotely on any number of devices. The software is installed as a software program on each computer. Ex. Norton Personal Firewall: Norton Personal Firewall is part of the Norton Internet Security suite and provides firewall protection for Windows. It offers features like intrusion prevention, application control, and traffic monitoring. Virtual
A Virtual security appliance is a comprehensive security solution designed to run within a virtualized environment, offering a wide range of security services.
A virtual security appliance is designed to run within a virtualized environment, such as a hypervisor or cloud platform; It leverages the nature of the virtual environment to secure virtualized infrastructure and virtual machines. Complete Security Solution A virtual security appliance is often a comprehensive security solution that includes not only firewall capabilities but also other security features like VPN, intrusion prevention, antivirus, web filtering, and more. It is designed to provide a wide range of security services within the virtualized infrastructure. Virtual security appliances are not tied to specific physical hardware. They can be deployed and scaled within the virtual infrastructure without requiring dedicated hardware devices. Integration with Virtualization Platforms Virtual security appliances are tightly integrated with virtualization platforms, allowing seamless management and integration into the virtualized environment. They often provide features like automated deployment, centralized management, and integration with virtualization management systems. Example: Cisco Virtual Adaptive Security Appliance (ASA): The Cisco Virtual ASA is a virtualized version of Cisco's renowned Adaptive Security Appliance. It provides advanced firewall and VPN capabilities within a virtualized environment. The virtual ASA offers features such as stateful packet inspection, intrusion prevention, site-to-site and remote access VPN, and application visibility and control. Cloud
Cloud Security appliances are specifically designed to protect cloud environments, leveraging native cloud integrations and providing cloud-specific security controls.
3.3 Given a scenario, implement secure network designs.
