11/14/2022

Network Security

Introduction
• A common mistake in network security
– Attempt to patch vulnerabilities in a weak network that was poorly
designed and implemented
• Most applications are not designed and written with security in mind
– The network to provide protection
– A secure network defense remains a critical element in any enterprise’s
overall security plan

1
 11/14/2022

Introduction
• Securing a network begins with the design of the network
• A secure network can be achieved through
– Network design
– Network security technologies

• A secure network design

– Implements multiple layers of defense
– Follow security best practices and model Zero Trust principles

Security through Network Design

Network Segmentation
• Logically or physically divides the network into different security
zones
– To protect an intruder from propagating exploits or the network against adversarial
lateral movement attack
– Helps isolate security critical systems of the network from other systems and high-
risk networks like the Internet

• The security zones are broad groups

– External, internal, DMZ, and guest Wi-Fi
– Business groups HR, Accounting and finance

2
 11/14/2022

Security through Network Design

Network Segmentation
• Understanding the principle of zero trust is important
– Many networks are based on a traditional security model that operates on the
assumption that everything inside an organization’s network should be trusted
– The zero-trust model recognizes that trust is a vulnerability

Security through Network Design

Network Segmentation
• Common ways to network segmentation
– Virtual segmentation
– Physical segmentation

3
 11/14/2022

Security through Design – Network Segmentation

Virtual segmentation
• Isolating network systems into different subnets or virtual local area
networks (VLANs)
• In most network, networks are divided or segmented by using switches
– Difficult because all users might not be in the same location and served by the same
switch

• A VLAN allows scattered users to be logically grouped together even

though they may be attached to different switches
• Reduce network traffic and provide a degree of security

Security through Design – Network Segmentation

Virtual segmentation
• VLAN communication can take place in two ways.
– If VLAN members are connected to the same switch, the switch itself can handle the
transfer of packets to the members of the VLAN group.

– if VLAN members on one switch need to communicate with members connected to

another switch, a special “tagging” protocol must be used

• The protocols add a field to the packet that “tags” it as belonging to the VLAN

• VLANs prevent direct communication between servers

– Can bypass firewall or IDS inspection

4
 11/14/2022

Security through Design - Network Segmentation

Physical segmentation
• Physically separating the different subnets via firewalls or filtering
Routers
– Subnetwork within an enterprise network

– Demilitarized Zone (DMZ)

• Located between the protected internal network and an untrusted external

network (often the Internet)
• Designed to provide a network of public-facing services (web server,
Email server)
– Provides an interface to an untrusted external network (the internet)

Security through Design - Network Segmentation

Physical segmentation

5
 11/14/2022

Security through Design - Network Segmentation

Physical segmentation

How should a DMZ be configured?

A pathway is enabled for administrators

to enter the zone, if compromised, can
provide access to attackers to the
secure network.

Jump Server: Running only essential protocols and ports and connects two
dissimilar security zones while providing tightly restricted access between
them

Security through Security Technology

● Firewalls
● VPN
● IDS/IPS
● Honeypot
● Access Technologies
– Network Access Control

– ACL

● …

6
 11/14/2022

Firewalls
● Designed to stop unauthorized
traffic flowing from one network to
another
– Separate trusted and untrusted components
of a network

● Uses bidirectional inspection to

examine both outgoing and incoming
network packets

Firewalls
● A firewall can be software-based or hardware-based
– Software firewall runs as a program or service on a device
– Hardware firewalls are specialized separate devices that inspect traffic

● Hardware firewalls
– Have more features but expensive
– Usually are located outside the network security perimeter - As the first line of defense

● Software firewalls? Issue

– Could be compromised by malware that infects the device

7
 11/14/2022

Firewalls
Firewall Categories
● The basis of a firewall is a rule base

– Establishes what action the firewall should take when it receives a packet (allow,
block)

● Firewall rules contain parameters

– Source and Destination address
– Source and destination port
– Protocol
– Direction
– Priority
– etc.

Firewalls

Firewall Actions

● Accepted: Allowed to enter the connected network/host through the firewall

● Denied: Not permitted to enter the other side of firewall

● Rejected: Similar to “Denied”, but tells the source about this decision through
ICMP packet

8
 11/14/2022

Firewalls
Firewall Actions

Firewalls
Firewall Categories

● Stateless packet filtering

– Looks at the incoming packet and permits or denies it based strictly on the rule base

● Stateful packet filtering

– Keeps a record of the state of a connection between an internal computer and an external
server
– Then makes decisions based on the connection as well as the rule base

9
 11/14/2022

Firewalls
Firewall Categories

● Stateless packet filtering

– Looks at the incoming packet and permits or denies it based strictly on the rule base

● Stateful packet filtering

– Keeps a record of the state of a connection between an internal computer and an external
server
– Then makes decisions based on the connection as well as the rule base

Firewalls
Stateless packet filtering

● Controls traffic based on the information in packet headers, without

looking into the payload that contains application data
● Doesn’t pay attention if the packet is a part of existing stream or traffic
– Doesn’t maintain the states about packets.

10
 11/14/2022

Firewalls
Stateless packet filtering

• The firewall performs a simple check of the data packets coming through the router—
inspecting information such as the destination and origination IP address, port number,
and other without opening up the packet to inspect its contents

• If the information packet doesn’t pass the inspection, it is dropped.

Firewalls
Stateless packet filtering

● The advantage of these firewalls is that they aren’t very resource-intensive

– Don’t have a huge impact on system performance
● However, they’re also relatively easy to bypass compared to firewalls with more
robust inspection capabilities

11
 11/14/2022

Firewalls
Stateful Firewall

● Tracks the state of traffic by monitoring all the connection interactions until it is
closed

Firewalls
Stateful Firewall

● Connection state table is maintained to understand the context of packets

12
 11/14/2022

Stateful Firewall

Example: Connections are only allowed through the ports that hold open
connections

Firewalls

Specialized Firewall
● Web application firewall (WAF)
– Protects the web applications by filtering and monitoring HTTP/S traffic
– Block cross-site scripting, SQL injection attacks and others
– Protects the application layer

13
 11/14/2022

Firewalls

Specialized Firewall
● Next Generation Firewall (NGFW)
– Has additional functionality beyond a traditional
firewall
– Detect applications by using deep packet
inspection - examine the payloads of packets
and determine if they are carrying malware
– Perform URL filtering and intrusion prevention
services.

Assignment
Open source

● iptables

● pfSense

14
 11/14/2022

Virtual Private Network

Internet Security: A Hands-on Approach By Wenliang Du

Introduction

● Networks primarily intended for internal use are called private network
● If we grant access from outside to the private network, the attack
surface will significantly broaden

Internet Security: A Hands-on Approach By Wenliang Du

15
 11/14/2022

Why VPN is needed?

To achieve CIA
● Encryption as the internet is dangerous place and all the traffic
should be protected or encrypted
● Integrity verification - the integrity needs to be reserved
● Authentication - to make sure that you are authorized to be insider

Internet Security: A Hands-on Approach By Wenliang Du

Virtual Private Network (VPN)

● VPN allows users to create a secure, private network over a public

network such as the Internet. This is achieved by:
– Having a designated host (VPN server) on the network

– Outside computers have to go through the VPN server to reach the hosts inside
a private network via authentication

– VPN server is exposed to the outside and the internal computers are still
protected, via firewalls or reserved IP addresses

16
 11/14/2022

A Typical Setup
● This is a typical VPN setup where the “Client” machine wants to connect
with machine “V” on a private network

– “Client” uses the “VPN Server” to get authenticated to the private network

IP Tunneling

IP Tunneling

Traffics inside
Tunnel End A the tunnel Tunnel End B
are protected
The tunnel goes
through a public
network, such as
the Internet.

The actual packet The payload carries another IP

between the two packet, which is the packet that
ends of the tunnel needs to be protected, such as
packets to/from a private
network

17
 11/14/2022

Two Types of IP Tunneling

● IPSec Tunneling

● TLS/SSL Tunneling

– Tunneling done outside the kernel, at the application level

– Idea is to put each VPN-bound IP packet inside a TCP or UDP packet
– The other end of the tunnel will extract the IP packet from the TCP/UDP
payload
– To secure the packets, both ends will use TLS/SSL protocol on top of
TCP/UDP

Internet Security: A Hands-on Approach By Wenliang Du

Two Types of IP Tunneling

IPSec Tunneling

TLS/SSL Tunneling

18
 11/14/2022

An Overview of How TLS/SSL VPN Works

Question: How can the Tunnel This is just a normal TCP or

application get an IP packet? UDP based SSL connection

TUN/TAP Interface
• Question: How can the Tunnel
application get an IP packet?
Socket
Interface

– Typically, applications interact with

kernel using socket
– Using socket, kernel only gives the
data part of a packet to applications
– Applications need to use a different
way to interact with kernel

Internet Security: A Hands-on Approach By Wenliang Du

19
 11/14/2022

TUN/TAP Interface
• Most operating systems have two types of network interfaces:
– Physical: Corresponds to the physical Network Interface Card (NIC)
– Virtual: A virtualized representation of computer network interfaces - the network interface can
be implemented in software
For example, the loopback interface (127.0.0.1 for IPv4 and ::1 for IPv6) is not a physical device but a
piece of software simulating a network interface
• TUN Virtual Interface
– Work at OSI layer 3 or IP level
– Sending any packet to TUN will result in the packet being delivered to user space program
• TAP Virtual Interface
– Work at OSI layer 2 or Ethernet level
– Used for providing virtual network adapters for multiple guest machines connecting to a physical device
of the host machine

TUN/TAP Interface

Internet Security: A Hands-on Approach By Wenliang Du

20
 11/14/2022

Set UP the Routing

Routing
packets to
the tunnel

Internet Security: A Hands-on Approach By Wenliang Du

Set UP the Routing

Routing
packets to
the tunnel

21
 11/14/2022

Set UP the Routing

Packets to this destination should be routed All other traffic will be routed
to the tun0 interface, i.e., they should go to this interface, i.e., they will
through the tunnel. not go through the tunnel

How to Send/Receive Packets via Tunnel

Sending a packet via the tunnel

• Get an IP packet from the TUN interface
• Encrypt it (also add MAC)
• Send it as a payload to the other end of the tunnel

Receiving a packet from the tunnel

• Get a payload from the tunnel
• Decrypt it and verify its integrity
• We get the actual packet
• Write the packet to the TUN interface

22
 11/14/2022

Intrusion Detection and Prevention Systems

Introduction
Security Intrusion and Intrusion Detection – RFC 2828
Security Intrusion
• A security event, or combination of multiple security events, that constitutes
a security incident in which an intruder gains, or attempts to gain, access to a
system (or system resource) without having authorization to do so

Intrusion Detection
• A security service that monitors and analyzes system events for the purpose
of finding, and providing real-time or near real-time warning of attempts to
access system resources in an unauthorized manner

23
 11/14/2022

Intrusion Detection System (IDS)

• Detects unwanted/suspicious activities in the network and generates
alerts to notify security personnel
• Monitoring traffic, activity, transaction and behavior
• Inspecting and scanning data packets
• Detects all types of malicious traffic including
– Attacks against vulnerable services
– Data driven attack on applications
– Privilege escalations
– Unauthorized logins and access to sensitive files, and
– Malware (Virus, trojan horses, and worms)

Types of Intruder and Behaviors

• The person who intrudes is an intruder

• The techniques and behavior patterns of intruders are constantly
shifting
– To exploit newly discovered weaknesses
– To evade detection and countermeasures
• Awareness of intruder led to establishment of CIRTs
– Cyber Incident Response Teams
– Collect / Disseminate Vulnerability Info / Responses
– Hackers may also gain access to CERT reports
• Important to quickly patch the discovered vulnerabilities

24
 11/14/2022

Types of Intruder and Behaviors

• Three broad categories

– Hackers
– Criminals
– Insiders

Hackers
• Motivated by thrill and status/reputation
– Hacking community is a strong meritocracy
– Status is determined by level of competence
• Aawareness of intruder led to establishment of CIRTs
– Computer / Cyber Incident Response Teams
– Collect / Disseminate Vulnerability Info / Responses
– Hackers may also gain access to CERT reports
• Important to quickly patch the discovered vulnerabilities

25
 11/14/2022

Criminals / Criminal Enterprises

• Here the main motivation is to make money
• Now the common threat is organized groups of cyber criminals
• Common target is financial institutions, bank accounts and credit cards
on e-commerce servers
• Once penetrated act quickly and get out
– IDS may help but less effective due to quick-in-and-out strategy
– Sensitive data needs strong data protection (e.g. credit card numbers)
– Strong authentication would also help (2-factor authentication )

Insider Attacks
• Most difficult to detect and prevent
– Employees have access and system knowledge

• Motivated by revenge/feeling of entitlement

– When employment terminated
– Taking customer data when moving to competitor

• IDS/IPS may help but other approaches

– Enforcing least privilege (need-to-know basis)
– Monitor logs
– Software agents monitoring user behaviors
– Upon termination revoke all rights and network access
– Protect sensitive resources with strong authentication

26
 11/14/2022

Elements of IDS
• Primary assumptions:
– System activities are observable
– Normal and intrusive activities have distinct evidence/feature/pattern
• Components of intrusion detection systems:
– From an algorithmic perspective:
• Features - capture intrusion evidences
• Models - Piece evidences together
– From a system architecture perspective:
• Various components: audit data processor, knowledge base, decision engine, alarm
generation and responses

Components of IDS
System Activities are Audit Records
Observable
Audit Data
Preprocessor

Activity Data

Detection Normal and intrusive activities

Detection Engine
Models have distinct evidence
Alarms
Action/Report
Decision Decision Engine
Table

27
 11/14/2022

Audit Records
• A fundamental tool for intrusion detection
• Two variants:
– Native audit records - provided by OS
• All multi-user OSes include accounting software that collects information on user activity
• Always available and no additional collection software is needed but may not contain
enough info or may not contain it in a convenient form

– Detection-specific audit records

• Collects information required by IDS
• Could be made vendor independent and ported to a variety of systems
• Additional overhead but specific to IDS task - two accounting packages running on a machine

Intrusion Detection Approaches

• IDS solutions can also be classified based upon how they identify potential
intrusions
– Signature-based
– Anomaly-based
– Hybrid detection
• Deployment: Network-based or Host-based
– Network based: monitor network traffic
– Host based: monitor single host activity

28
 11/14/2022

Signature-based Detection
• Assumes that each intrusive activity is representable by a unique
pattern or a signature - signatures of known threats to identify them
– Attack signature database is maintained – Signature of known threats
• Sequences of system calls, patterns of network traffic, etc.
• Example: if (traffic contains “x90+de[^\r\n]{30}”) then “attack detected”
– Compare traffic to the database
– If match is found, alert is sent
– Requires constant updates
• High threat detection rate with no false positives, but blind to
zero-day vulnerabilities.

Anomaly-based Detection
• Learning systems by continuously creating “norms” of activities
– Norms are then later used to detect anomalies that might indicate an intrusion
– Compares observed activity against expected normal usage profiles
• Define a profile describing “normal” behavior, then detects deviations
– Anomalies caused by other element faults
• Example: router failure or misconfiguration
• Relatively high false negative/positive rates

29
 11/14/2022

Anomaly Detection
Threshold detection
• Involves counting the number of occurrences of a specific event type over an
interval of time
– If the count surpasses what is considered a reasonable number that one
might expect to occur, then intrusion is assumed
• Checks excessive event occurrences over time

– Creates lots of false positives/negatives due

• The variability across users

Anomaly Detection
Profile based
• Characterize past behavior of users, group of users, applications, then,
detect significant deviations
• A profile may consist of a set of parameters
– Counter: - request count, tasks completed, error count
– Gauge: - memory usage, queue size, number of requests in progress

• Based on analysis of audit records over a period of time to determine the

activity profile of the user

30
 11/14/2022

Intrusion Detection Systems

• Classified based on their monitoring scope
– Host-based detections
– Network-based intrusion detection

61

Types of Intrusion Detection Systems

Host-Based Intrusion Detection Systems (HIDS)

• Hosted on the single device
• Monitors operating system specific logs and security logs to monitor
sudden changes in these logs
– When a change is detected in any of these files
• The HIDS compares the new log entry with its configured attack signatures
– If a match is detected then this signals the presence of an illegitimate activity
• Any antivirus can be considered as a HIDS as it will alert the user the moment a
suspicious file or activity is detected

62

31
 11/14/2022

Intrusion Detection Systems

Network-Based Intrusion Detection Systems (NIDSs)
• NIDSs have the whole network as the monitoring scope
• Monitor the traffic on the network to detect intrusions
• Responsible for detecting anomalous, inappropriate, or other data that may
be considered unauthorized and harmful occurring on a network
• NIDS Sensors can be deployed in one of two modes
– Inline and passive sensors

63

Intrusion Detection Systems

• An inline sensor is inserted into a network segment
– So that the traffic that it is monitoring must pass through the sensor
– Combine NIDS sensor logic with another network device, such as a firewall or router

• A passive sensor monitors a copy of network traffic; the actual traffic

does not pass through the device
– Connected to a port on a switch, which receives a copy of network traffic

• The passive sensor is more efficient than the inline sensor

– Does not add an extra handling step that contributes to packet delay

32
 11/14/2022

An Example IDS: Snort

• Lightweight IDS
– Open source
– Portable, efficient
– Easy deployment and configuration
– May work in host-based and network-based manner
• Snort can perform
– Real-time packet capture and rule analysis
• Sensors can be inline or passive
– In inline case, Snort can also be used as IPS

Snort Architecture
• Packet Decoder: parses the packet headers in all layers
• Detection Engine: actual IDS. Rule-based analysis.
• If the packet matches a rule, the rule specifies logging and alerting
options

33
 11/14/2022

Snort Rules
• Snort uses a simple, flexible and effective rule definition language
– But needs training to be an expert on it
• Each rule has a fixed header and zero or more options
• Header fields
– action: what to do if matches – alert, drop, pass, etc.
– protocol: analyze further if matches - IP, ICMP, TCP, UDP
– source IP: single, list, any, negation
– source port: TCP or UDP port; single, list, any, negation
– direction: unidirectional (->) or bidirectional (<->).
– dest IP, dest port: same format as sources

Snort Rules
• Many options
– Different categories
– Other header fields can be checked using options
• Option format
– Keyword: arguments;
• Several options can be listed separated by semicolon
– Options are written in parentheses
• Example rule to detect TCP SYN-FIN attack:
Alert tcp $EXTERNAL_NET any -> $HOME_NET any \
(msg: "SCAN SYN FIN"; flags: SF;)

34
 11/14/2022

Proxy Server
• Act as substitutes on behalf of the primary device
– Forward proxy
– Reverse proxy
• look for malware before it reaches the internal endpoint
• Hide the IP address of endpoints inside the secure network

Deception Instruments

35
 11/14/2022

Deception Instruments
• Deception
– Act of causing someone to accept as true that is false

• Deception can be used as a security defense

– By directing attackers away from a valuable asset to something that has little or no
value
– Attackers can be tricked into thinking what they are attacking is valuable or that
their attack is successful

• Creating network deception can involve creating and using honeypots

71

Honeypots
• A system designed to look like something that an intruder can hack
• The goal for a honeypot is to deceive intruders and learn from them
without compromising the security of the network
– To deceive attackers and learn about their tools and methods

• Filled with fabricated info

– Appears to be the real system with valuable info
– Legitimate users would not access

72

36
 11/14/2022

Honeypots

• The honeypot is intentionally configured with security vulnerabilities

– So that it is open to attacks

• Security personnel generally have two goals when using a honeypot:

– A honeypot can redirect threat actors’ attention away from legitimate servers
– A honeypot can trick threat actors into revealing their attack techniques

• Security experts can then determine if actual production systems

could thwart such an attack

73

Honeypots
• Instrumented with monitors and event loggers

74

37
 11/14/2022

Honeypot Deployment
Finding a strategic place for the
honeypot is important

1. Outside firewall: good to reduce the

burden on the firewall; keeps the bad
guys outside
2. As part of the service (DMZ) network:
firewall must allow attack traffic to
honeypot (risky)
3. As part of the internal network: same
as 2; if compromised riskier; advantage
is insider attacks can be caught

Sinkholes
• Another deception technique designed to steer unwanted traffic away
from its intended destination to another device
– Deceiving the threat actor into thinking the attack is successful when the sinkhole is actually
providing information about the attack

Example
• A DNS sinkhole changes a normal DNS request to a pre-configured IP
address that points to a firewall with a rule of Deny set for all packets
– Every packet is dropped with no return information provided to the sender

• DNS sinkholes are commonly used to counteract DDoS attacks

38
 11/14/2022

Access Technologies
• Designed to grant or deny access
• The access may be to the network or to specific data
• Includes
– Access Control List
– Network Access Control

Access Control List

• Contains rules that administer the digital assets by granting or denying
access
• The two types of ACLs
– Filesystem ACLs
• Filter access to files and directories on an endpoint
– Networking ACLs
• Filter access to a network and often found on routers
(config) #access-list 1 permit 10.1.5.1
(config) #access-list 1 deny 192.168.1.53
(config) #access-list 1 permit 172.30.0.0 0.0.255.255

39
 11/14/2022

Networking ACLs
• External router ACL
– Restrict known vulnerable protocols from entering the network
– Limit traffic entering the network from unapproved networks
– Against IP spoofing that imitates another computer’s IP address
• Internal routers ACL
– Applies to outbound packets
– Usually are less restrictive but more specific than those on external routers ACLs

Network Access Control (NAC)

• Examines the current state of an endpoint before it can connect to the
network
• Any device that does not meet a specified set of criteria, is denied access
to the network
– Given restricted access to computing resources, or connected to a “quarantine”
network where the security deficiencies are corrected
• Set of criteria
– The most current antivirus signature
– Operating system version
– the software firewall properly enabled

40
 11/14/2022

Network Access Control

• Some NAC systems use agent software installed on endpoints
• An agent may be
– A permanent: reside on end devices until uninstalled
– Dissolvable: disappears after reporting information to the NAC

• Agentless NAC – no additional software is required

– Integrated within a Microsoft Windows Active Directory domain controller
• Instead of installing agents on each device
• When a device joins the domain and a user logs in, NAC uses Active Directory to
scan the device to verify that it complies with the necessary criteria

Port Security
• Securing the ports on network devices such as a switch or router is important
to secure a network
• Attackers can access a network device through an unprotected port
– Reconfigure the device to introduces a number of vulnerabilities (compromise of route
security)
– False route information can be injected
• Types of attacks through port security
– MAC flooding
– MAC address spoofing
– ARP poisoning

41