Introduction To Network Cyber Security
Introduction To Network Cyber Security
Table of Contents
1.
Overview ............................................................................................................................................... 3
2.
3.
4.
5.
6.
7.
Markets ............................................................................................................................................... 22
8.1. Protection................................................................................................................................... 22
8.2. Defense/Interception ................................................................................................................. 22
8.3. Analysis and Situational Awareness ...................................................................................... 23
8.4. Active Test ................................................................................................................................. 23
8.
9.
May 2012
1. Overview
This paper provides an overview of network cyber security, what it is, and an explanation of some of the
terms. Cyberspace can be divided into the following assets: devices, data, networks, and people
(Diagram 1). Securing those assets is the job of cyber security. Many of us are familiar with cyber security
products designed to protect devices, such as anti-virus or login passwords. We are also familiar with the
concept of encryption to protect data, but what about network security? Data needs to be communicated
and therefore networks are required in order to make use of that data in a wider context. We use cryptos
on networks (such as military data-link cryptos, or hardware VPN cryptos) but these devices are really just
protecting the data flowing over the networks rather than the infrastructure or operation of the network
itself.
Cryptography plays a large role in network cyber security, but it is not the only one. Cryptography can
also play a larger role than just traffic encryption within network cyber security, and some of those ideas
will be presented here.
Networks are easy to understand and have many obvious analogies in the real world. This paper should
help the reader understand what computer networks are, facilitate ongoing discussions and avoid
confusion, by providing a common understood baseline and terminology.
May 2012
2. Introduction to Networks
Computer networks are one of those technologies which most people have heard of, and have an idea of
what they are, but do not necessarily understand. When most people hear the term computer network
they immediately think of wires and cables strung between boxes. Networks do not exist without the
wires or physical network, but it is not what makes transportation across them possible.
A good analogy when thinking of computer networks is the road infrastructure. The surface of the road
defines where the road is, but it is the extra elements such as traffic lights, speed limits, drivers licenses,
cars, lorries, bridges and roadmaps etc., that make transportation across it possible. Without highway
laws, safe vehicles, signposts and maps, the roads would just be stretches of tarmac without any
purpose. Computer networks are the same, the easy part is putting the cables in the ground and
connecting them together, the hard part is getting traffic to flow through them correctly and reliably from
source to destination all across the world!
Attackers can manipulate and disrupt a network and its traffic by hacking these other elements. It is the
role of network cyber security to act as the police of the system and to try and ensure the infrastructure
remains as reliable and accessible as possible.
May 2012
May 2012
perform in an non-standard manner, and potentially allowing them to do unauthorized or designed tasks.
Anti-virus products themselves are large complex pieces of software, and themselves are not immune to
being the vector through which an attacker successfully gains control over a system.
As a result, the application space is not an open no-holes barred playground. Operating systems and
vendors have worked hard to try and enforce stricter rules on access and authentication for certain
operations. A simple username and login prompt can provide an acceptable level of application security in
certain circumstances. Otherwise, granular control over which files, folders and system operations a user
can manipulate can be implemented to protect against malicious behavior. This stops an exploited piece
of software such as a word processing application from being able to maliciously change the underlying
operating system.
However, because the application space is all software and it is very difficult to write perfect bug free
software, application security will always be required. Without it, there could be no guarantee that a
computer or task was being carried out as the designer and operator intended.
May 2012
May 2012
4. Understanding Networks
4.1. Building Blocks
Almost all IP networks are built from the same few building blocks, from small office scale networks to the
expanse of the Internet. Combined together
together, these building blocks create a useful network infrastructure
over which any type of data can flflow. The utility of a network is its purpose, should an attacker
successfully attack one of the building blocks, they will then disrupt the usefulness of the network and
therefore cause the same damage as if they cut the wires themselves. So what are these building blocks?
(Diagram 2)
May 2012
order to get from one house in one AS (city) to another house in another AS, you have to plan your
journey just as you do for a road trip, which involves traversing the citys roads as well as the inter-city
highways. The same is true for networks, you use internal routers to get through each AS, and external
routers to get between ASs. Both external and internal routers are needed if large networks are to be
deployed. Do not confuse the geographical topology of networks with the network topology of ASs. There
is some commonality due to the locations of wires and computers, but the network topology is primarily
determined by an ASs architecture across its user base.
The Internet was initially designed to be robust and adaptable to
the loss of any given link. The Internet is still very capable of
quickly routing around lost connections, but it is not as robust as
most people think. Due to economic pressures, the Internet
actually has a relatively small number of critical nodes (called
Internet Exchange Points) through which a very large amount of
traffic passes. Should these be disrupted or destroyed, it is
uncertain how well the rest of the network would operate. These
include the Deutscher Commercial Internet Exchange (1120 Gbps),
Amsterdam Internet Exchange (912 Gbps), Equinox Exchange
(990 Gbps) and London Internet Exchange (743 Gbps) with their
average throughputs.
The Internet Topology (Diagram 4) clearly illustrates some of these
primary interconnects.
Diagram 4 The Internet Topology
(Opte Project: http://opte.org/)
4.5. Protocols
The final IP network building block involves protocols. Protocols can be thought of as the Highway Code,
everyone needs to know them and follow them in order to use the network. The most common ones are;
May 2012
IPv4 which describes how to label a packet, and TCP which describes how to reliably send packets.
There are many more which are intrinsic to the working of a network, but it is not necessary for the
purposes of this discussion to look at these in detail. What is important to understand is that networks are
bound to these protocols; they need to use them in order to interoperate. Network protocols are open and
available for anyone to understand and implement, and as a result, computers and networks operate in a
predictable and pre-determined manner.
Networks are designed to carry traffic, therefore there are some aspects of network operation and
network security which require viewing the traffic itself. Inspecting the traffic through a network could be
thought of as a part of data cyber security, however there is a fine line differentiating the two, so for the
purposes of this discussion, they will be deemed as part of network cyber security.
Networks operate by inspecting the headers of the traffic that flows across them as this is where the
destination addresses are given. A great deal of extra information can be obtained by looking further into
a packet of data rather than just observing its header. Network monitors are designed to do just this, and
is termed deep packet inspection or analysis (DPI). DPI sounds impressive, but it only describes the act
of looking at more than just the header. As with real-life, reading is the easy part, its the understanding of
what you have just read that is difficult.
10
May 2012
11
May 2012
in the address servers, then they will give clients the wrong information and clients will unwittingly connect
to the wrong destination. The other way to manipulate the address services is to impersonate it. If an
attacker can listen for a clients request and impersonate a reply before the real address server can, then
the client will use the information provided by the attacker. This is known as spoofing, and occurs
because there is an historical inherent trust of the address services. This is slowly changing with the
addition of technologies such as Domain Name System Security Extensions (DNSSEC), but we are far
from this point yet. Apart from directing computers to the wrong destinations, attackers can also pretend
to be the Internet access point, and have computers connect through them. This enables them to act as a
man-in-the-middle and view all the traffic and manipulate it as they see fit. The ability to act as a fake
destination or gateway allows an attacker to completely control the conversation and manipulate any of
the data passing through it. An attacker could for example, capture all of your login information or even
send fake email from your account.
It is the integrity and legitimacy of address services that are attacked by hackers; if they control the
address services they control the destination of traffic. Network defenders are therefore on the lookout for
address service impersonators or manipulations to the address service information, but as attacks
become more sophisticated this becomes more difficult.
12
May 2012
13
May 2012
historically. This trend analysis is utilized to identify anomalous data streams and potential attacks. To
describe this as looking for a needle in a haystack is very apt although a little misleading, because most
security assessors actually remove all of the hay until just needles remain. In other words, they identify
normal traffic and then discard it from the analysis until only the unusual traffic remains.
5.8. Netflow
Even within a medium sized office, the amount of traffic flowing over the network will probably be too
large to capture and store without being prohibitively expensive. Attempting to copy all of the letters a
postman delivers in one day is almost impossible, but asking him to make a note of the sender and
destination post codes (zip codes) is not. In the network cyber security arena this function is called
Netflow. Network monitoring systems, such as Intrusion Detection Systems (IDS), make a log of netflow
which allows them to keep track of who is talking to whom without actually storing what is being said.
Netflow can be thought of a social network map of a network. Obviously this data in and of itself is very
interesting, and there are many products and systems in the cyber space to analyze and make inferences
on netflow data.
14
May 2012
Each area has a unique role in securing networks and all four are required in order to maintain the
operational reliability and integrity of computer networks. As we look at each in detail we will see that the
securing of networks is really the securing of the integrity of networks, which is to say that we continue to
ensure that network operational information is both accurate and authentic.
6.1.1. VPNs
In addition to the standard in-line encryption, networks also utilize virtual private networks (VPNs) to
protect network traffic. Most business people are familiar with VPNs, and that it is a technology that
allows them to gain access to their companys networks while out of the office. VPNs are in fact a suite
of protocols that are used to securely identify and authenticate both your computer and your offices
network over a public network (e.g. the Internet) and to exchange encryption keys. Once both parties
have guaranteed the identity of each other, they utilize an encrypted tunnel to securely communicate.
The VPN protocols used are just part of the IPSec suite of protocols or HAIPE (for government use).
The traffic will be protected provided that authentication and identification steps are properly executed.
However, as was discussed in the previous certificates section, if someone else is able to obtain a
false certificate, they could potentially intercept your traffic and view all of your data.
15
May 2012
Once you have protected the data and want to send over the network, you then need to ensure that
the data reaches the correct destination reliably. Specifically, this means ensuring that the routing
tables and link advertisements communicated by internal and external routers are accurate and
originate from an appropriate source, e.g. they have not been made up or modified by an attacker.
Integrity and authenticity is possible through the use of digital signatures and certificates. Each router
digitally signs their information before they circulate it, removing the possibility of an attacker
spamming the network with false information. This requires all routers to have crypto hardware within
them to perform the signature protocols. The cost of doing this is very expensive in terms of resources
and time. It is most costly when links are changing which is the exact moment that you do not want
extra overheads! Furthermore, this only prevents non-routers from advertising false topology
information and does not prevent a malicious router from producing false topological information.
Whilst this is not necessarily a problem when the entire network is under your control, the Internet
relies on external routers all around the world to share information including those in Russia and
China. Although we could determine that the information they sent to us is authentic and accurate as
provided, we have no idea as to its veracity.
In addition to secure routing, there needs to be secure addressing so that you can accurately
determine your own location, the gateway to the network and your final destination. Mechanisms such
as Secure DNS are being deployed to provide solutions to some of the issues, but other ones such as
gateway discovery (through the ARP protocol) are still vulnerable. Just as with securing router
advertisements, secure DNS utilizes certificates and digital signatures to provide integrity and
authenticity of its data.
Thus the protection or hardening of networks is not necessarily through the encryption of the data
passing through them, so much as ensuring the integrity and authenticity of the operational and
management data. This means that as network hardening is rolled out, there will be an increasing
reliance on certificates and the security of root authorities (certificate signers), and thus on the
encryption devices used within them. The more signatures and certificates are used, the more need
there is for crypto.
6.1.3. Firewalls
Firewalls are one of the cornerstones of the protection of network security they are the stateful
machines that stop unsolicited communications from entering a system. Firewalls only allow traffic out
of the network and only allow traffic from a known and specified source in. Typically the known source
is either specifically listed (e.g. another company office) or it is the reply from a site with whom
someone inside the network is trying to communicate with. For the most part firewalls are very good at
keeping out unwanted traffic, however sophisticated attacks such as TCP injection can find holes in
their operation.
16
May 2012
that networks operate and are attacked at network speeds, the network defenses also need to operate at
these speeds which means being directly connected to and monitoring the network traffic in real-time.
17
May 2012
18
May 2012
19
May 2012
The earlier you know and understand the nature of the vulnerability
vulnerability, the
he sooner you can deploy a test
or attack. The same is true when looking at th
the
e evolving styles of attack; if you can see where
attackers are shifting their focus
focus, then you can shift your defenses and tests accordingly. This is why
many of the top cyber security companies employ teams of security researchers and pen-testers.
pen
Staying on top of new attacks allows them to develop better defenses.
Deployed
Patched
Knowledge of Attacks
Discovered
(Pen-Test)
Disclosed
Knowledge of Defense
(Vulnerability Scanners)
Exploited
Diagram 5
20
May 2012
is a health notice with these numbers, that they are broad indications only, specific and reliable numbers
num
are not available. The same is true for the growth figures
figures;; this is especially the case as they were
compiled prior to Stuxnet, U.S. Cyber Command and the wide
wide-spread
spread acceptance of state sponsored
attacks.
Diagram 6
Currently the protect level is worth
rth the most due to the emphasis placed on encryption and certification.
Commerce cannot function without
ithout a reliable and addressable Internet
Internet. This is a necessity play more than
anything. Wide scale protection measures such as DNSSEC are still being rolled out, and authentication
measures are not yet widespread. This is being reflected in the large protection market-size
market
and once
these technologies are more widely adopted, their growth will diminish
diminish. Just as
s the benefits of IDS and
DPI systems become more appreciated,
ppreciated, the collection and intelligence markets will grow.
Currently there is a growing interest in the areas of defense and analysis.. There are many reasons from
reliability to national security and corporate espionage to understand better what is happening
ha
on a
network. Data is required for analysis and therefore the collection/interception market is growing in
lockstep. These two markets will grow as understanding and acceptance of their relevance and
capabilities is more widely understood. Just as governments have solicited the help of the general
populace to be vigilant for suspicious activity, network equipment (such as routers, switches etc) will be
required to also monitor the network and provide data on it in addition to its day
day-job.
job. We are still
s very
much in the early days of fully appreciating and leveraging all the benefits and uses of the collection and
analysis systems,, but what we can say is that there is a huge potential for growth in this field.
The collection elements are primarily ba
based
sed on hardware, and in the case of backbone monitoring,
monitoring highly
specialized too. This type of functionality is likely to be standard in the intermediate future as these
capabilities are added to products. The analysis and policing on the other hand is primarily
prim
driven by
software/mathematical models and algorithms. These can be implemented on the collection hardware for
product differentiation, delivered as a standalone product
product, or even as a service. Here the intelligence of
the system and its effectiveness will be the differentiator.
Finally, active testing/attack is equally divided between the pen test service, and the deployed
vulnerability scanning tools.. These two market segments feed into each other constantly. Therefore many
of the companies that provide
ide vulnerability scanning solutions also provide penetration testing services.
Uptake of active testing is slower in the enterprise markets compared with governments and militaries
which regularly deploy them.. This again is likely to change as this market segment is better understood
and appreciated.
As this market segment is the least understood, and still the province of IT specialists, there are many
sub-standard
standard solutions being offered. The differentiation in this area is provided through the practitioners
practiti
knowledge and skill rather than the tools they are using. Th
Thus is no guarantee that a large name cyber
company will have a better or reliable pen testing department than a small company of independent
security researchers. In
n fact it is often the re
reverse.
21
May 2012
7. Markets
8.1. Protection
This market is primarily made up of hardware suppliers such as Ultra AEP and Thales e-Security who
provide certification systems and hardware security modules. There are also a large number of VPN
providers, both for corporate and low classification level systems, however there is not much
differentiation here, as most companies have the capability of providing IPSec/Suite B encrypted
tunneling. The real differentiation is in implementation, and that for the most part comes down to how they
protect their encryption & signing keys, are they factory-set, created on the device or via a hardware
security module.
There are currently no suppliers of high-grade secure routing equipment, instead the main routing
suppliers (Cisco, Juniper etc) provide only IL3 protection, possibly IL4. This is also from a historically low
customer demand for it. One of the main reasons for this involves routers, every router on the network
would need a high-grade crypto and, if the network is international as with the Internet, this may not be
allowed. In these cases technologies such as IPSec are used instead.
Device protection, such as network authentication systems are available from companies such as Yubico,
and RSA. There are no clear market leaders and many different companies specialize in different market
segments and customers. Inherently they all provide the same functionality secure retention and
provision of certificate style authentication.
8.2. Defense/Interception
This market is certainly one in which there is differentiation generally because there is a large
differentiation in the types of networks. There are many companies such as Astaro, Watchguard, Celestix
Networks and Palo Alto Networks who provide fixed IP LAN type IDS style collection devices and are
primarily enterprise level. Other companies such as Objective Development, Norton and Zone Alarm
provide home-level solutions.
Specific DPI solutions designed to protect against and look for instances of data leakage are provided by
companies such as Deep Secure and Nexor. However, these types of solutions are primarily used to look
at data going out (information loss), rather than data coming in (malware).
The term DPI refers to any system the inspects more than just the IP header of network traffic, however
does not differentiate in any other manner. When looking at a DPI solution there are a few variables to
look for, firstly is all traffic inspected or only sample captures, secondly does the system sit in-line to the
network traffic or does it use a copy, and thirdly how complex/comprehensive can the inspection rule-set
be and how easily can new rule-sets be created and deployed.
One of the main niches is in backbone carrier interceptors and traffic analyzers. Backbones carry a vast
amount of data and therefore scalable solutions able to handle the traffic sizes are required. Narus is one
such company that can provide multiple gigabit systems, specifically designed to sit on backbone
networks. Narus is a recognized leader in this sector, although there are other companies such as
CloudShield (provided by Portcullis) which can also operate at this level. Cisco also enables some of this
technology to be performed within their routers, by exploiting their API framework. Obviously to do any
type of collection/interception the equipment must be able to get at the routed data, and therefore need to
sit with the routers.
Voice is an interesting subset of the backbone/LAN interceptors. There is no fundamental reason why
voice should be any different to other IP networks as the vast majority of phone calls are now routed as
22
May 2012
packets across Internet backbones at some point. However the amount of meta-data you can obtain and
the analysis you can perform is more specialized. Specific probes and interception devices are available
from companies such as SOTECH/Zu industries to do exactly this. The major telecoms companies such
as AT&T also provide this capability, to meet existing wire-tap laws.
23
May 2012
In the pen testing market you must separate between the pen test frameworks which provide the toolkits
pen testers use, and the pen testing companies themselves. One of the most popular pen test toolkits is
Metasploit by Rapid7, but Core Impact, ImmunitySec and w3af also produce popular ones.
As for actual pen test companies, there are a large number of them normally staffed with ex-hackers or
ex-government people. Due to the reliance on skilled personnel, it is difficult to differentiate companies.
However, the U.K. Centre for the Protection of the National Infrastructure recommend Portcullis as their
pen test company of choice.
In the U.K. there are two schemes (Tiger and CREST) which can be used to obtain an independent
assessment of penetration testing companies.
24
May 2012
8. Growth Areas
Network cyber security is growing, both in terms of recognition and market size. There is recognition that
cryptography can be used for more than just encrypting data traffic, it can be used to provide integrity and
authentication to network operations. There is a large amount of innovation in the area of network policing
& intelligence, and there is an opportunity to provide niche solutions for different industries such as critical
infrastructure and military platforms (ships/aircraft etc). These systems are not enterprise/corporate style
architectures, and are not operated or relied upon in the same way. Therefore the solutions which work
for the enterprise will require modification before being used in critical infrastructure or military platforms
(safety being the primary reason).
Finally within the active test level, the two largest attributes required for a successful penetration company
is expertise and trust. Active testing constantly generates new protection ideas and methodologies, as
new vulnerabilities are discovered. This can be thought of as the research and technology development
part of network cyber security, only their activities will be paid for by pen-test customers.
In summary, within network cyber security I would recommend the following strategic directions:
1. Develop the use of cryptography beyond data protection
2. Develop critical infrastructure and/or military platform policing and analytic solutions
3. Enhance knowledge and awareness in the cyber security space through penetration testing
25
May 2012