Unit 10 - Data &

Network Security
Section 10.2:
Network Security
Log in to the Cyber Range & open
both machines in the LCPS
Cyber exercise environment
 Unit Learning Objectives

BUS6302.48 Describe the cyberattack surface of various organizations.

BUS6302.64 Identify the prevention of and protections against cyber
threats.
BUS6302.74 Identify ways to control and protect personal data.
BUS6302.83 Explain how businesses and individuals can protect
themselves against threats to their data (e.g. firewalls, encryption,
disabling, backups, permissions).
BUS6302.88 Identify best practices for protecting operating systems.
 Lesson Essential Questions

1. How do you secure wireless networks?

2. What are firewalls and how do they work?
3. What are proxy servers and how do they work?
4. What are Intrusion Detection Systems/Intrusion
Prevention Systems and how do they work?
5. What are Unified Threat Management devices?
Section 10.2.1:
Securing Wireless
Networks
 Securing Wireless
Networks
• Internal wireless networks are vulnerable because the threat actor
doesn’t need to be physically inside the facility in order to access the
network.
• To prevent unauthorized access, wireless networks can be secured by
encryption the transmissions between the device and the wireless
access point (WAP)/Wifi Router.
• The current encryption standard for wireless networks is Wifi
Protected Access 2 (WPA2)
– WPA2 uses the Advanced Encryption Standard (AES) with key lengths
between 128 and 256 bits.
– When accessing the wireless network, the user must enter the password
for the network.
 Securing Wireless
Networks (continued)
• Routers using WPA2 encryption are normally also running
Wifi Protected Setup (WPS), which enables users to quickly
set up a secure connection with the router by entering an
8-digit PIN.
– Freely available attack tools can usually recover the WPS PIN within 4
– 10 hours.
– WPS should be disabled on internal networks to prevent this from
happening.
• Internal networks should require the user to enter the WPA2
password to access the wireless network.
Section 10.2.2:
Firewalls
 Firewalls
• A firewall is a security tool that acts as a barrier
or protection against an unwanted data transfer.
• Firewalls screen:
– Inbound or ingress data: data coming into
the host
– Outbound or egress data: data leaving the
host
• Firewalls can be both hardware and software
solutions
– Firewalls also may offer extensive reporting
on its activity
 Firewalls (continued)

• Firewalls are software that filters network traffic so that

only authorized traffic is routing to and from the network.
• The firewall examines each packet to see if it meets rules
you set in the firewall.
– If packet meets the rules, it is allowed through.
– If packet does not meet the rules, it is dropped.
• Types of rules set in firewalls:
– Block/allow/filter specific ports (HTTP, HTTPS, SSH, etc.)
– Block/allow specific IP addresses or address ranges
– Block/allow packets for certain applications
 Methods for Employing
Firewalls
• Application built into operating system
– Windows Defender Firewall®
– Mac OSX® has built-in application firewall
• Separate application installed on an operating system
– Barracuda NextGen Firewall®
– Cisco ASA®
– Sophos Cyberoam UTM®
– Others
• Dedicated hardware device with special firewall software
installed on it
 Where are Firewalls
Installed?
• Host-based firewalls are installed on individual hosts
(computers, etc.).
– The host-based firewall performs all firewall
functions for that individual host.
– Host-based firewalls help protect against threats that
come from within the corporate network (both the
internal and perimeter networks) as well as from
outside of the corporate network.
 Where are Firewalls
Installed? (continued)
• Network-Based
– Performs firewall functions at the perimeter on all incoming &
outgoing traffic
• Can screen out malicious traffic before it reaches any user
– Installed near the perimeter of the network
• One firewall is normally placed between the network and the Internet.
• An additional firewall is normally placed between the internal network and
perimeter network to screen out additional types of traffic that need to be
allowed into the perimeter network but blocked from the internal network.
– Additional firewalls may be installed on specific devices.
 Where are Firewalls
Installed? (continued)
Intranet Perimeter Network/
Demilitarized Zone
Internal Servers Public Servers Internet
(File share, (Web, mail, etc.)
(DMZ)
databases, etc.)

LAN
Second network firewall
to screen & block specific
traffic to & from the
internal network that
needs to be allowed in the
Host-based firewall on
perimeter network.
individual devices.
Border
Gateway
Network firewall to screen Router
all inbound & outbound
traffic. May allow traffic to
& from the public servers
that should be blocked to
& from the internal
network.
 Stateless Firewalls

• A stateless firewall is also known as a packet filtering

firewall.
– It inspects each packet individually, without
considering the trends of the data being received.
– It can either allow or block traffic entering or exiting
the firewall by evaluating network addresses, ports, or
protocols.
– It normally runs at the Network layer (Layer 3) of the
OSI & TCP/IP model.
 Stateless Firewalls
(continued)

Goodheart-Willcox Publisher; server: ShendArt/Shutterstock.com; wall: Beboy/Shutterstock.com

 Stateful-Inspection
Firewalls
• A stateful-inspection firewall does what stateless firewall
does but also considers the connection state of a stream of
data.
– The firewall collects a series of packets before it
determines their connection state, then compares those
findings to the firewall rules, rather that just applying the
rules on each packet of data.
– The firewall allows packets through that are part of an
existing session (the connection state is a session
between the distant end and local host)
– Each packet that enters and exits firewall is analyzed.
 Stateful-Inspection
Firewalls (continued)

Goodheart-Willcox Publisher; server: ShendArt/Shutterstock.com; wall: Beboy/Shutterstock.com

 Application Firewalls

• An application firewall does everything a

stateful-inspection firewall does but also analyzes the actual
data content (payload) of packet, not just the header data.
• An application firewall allows you to set firewall rules for
specific software applications.
– For example, you can have a web application firewall that
focuses on all web traffic coming into and out of the
network to check the payload for malicious traffic like SQL
injection attacks, cross-site scripting attacks, etc.
Application Firewalls
(continued)

Image courtesy VAADATA

 Firewall Comparison

Stateless Stateful Application

Firewall Firewall Firewall
Inspects header data on each
packet individually
Examines connection state of
a stream of data (based on
header data)
Analyzes actual data content
of header packet, not just
header data
Windows
Defender
Firewall
Mini-Lab
 Find the IP Address
of the Windows Machine
• On the Windows machine, click the Windows
icon in the lower left corner.
• Click on the Settings icon.
• From the Windows Settings window,
double-click on Network & Internet.
• Scroll down and click on View your network
properties.
• Scroll down through the network properties
to find your IPv4 address.
Your IPv4 address will be unique to your virtual
machine and will not match this slide.
 Ping Your Windows Machine
from Your Linux Machine
• Switch over to the tab for your Linux machine and open
a terminal window.
• Ping your Windows machine 4 times using the following
command:
ping -c 4 <target IP>
Example using my IP address:
ping -c 4 10.1.164.162
Use your own target machine’s IP address
 Ping Your Windows Machine
from Your Linux Machine

• You should get 4 successful ping replies.

Access Windows Defender Firewall on Your
Windows Machine
• Switch back to the tab for your Windows
machine.
• Click the back arrow next to the word Settings
in the upper left of your network properties
screen.
• Click the Windows Firewall option (below
View your network properties toward the
bottom of the window). This will allow you to
access the Windows Defender Firewall settings.
• Once open, click the Advanced settings option
toward the bottom of the window.
Access Windows Defender Firewall
on Your Windows Machine
 Disable Inbound ICMP
on Your Windows Machine
• Click the Inbound Rules option in the left pane of the window. All
inbound rules will appear in the center pane.
• Click the rule ICMP Allow incoming V4 echo request.
– This is the rule that determines whether to allow or block
incoming ping (ICMP) requests.
 Disable Inbound ICMP
on Your Windows Machine

Disable the rule. You can do this in one of 3 ways:

1. From the Menu Bar, click on Action, then select Disable Rule.
2. Right-click on the rule in the center pane, then select Disable Rule.
3. In the right pane, select Disable Rule.
 Disable Inbound ICMP
on Your Windows Machine
• Inbound ICMP (ping) is now disabled on your Windows
machine.
• There will no longer be a green checkmark next to the
inbound rule.
 Ping Your Windows Machine
from Your Linux Machine
• Switch back to the tab for your Linux machine.
• Ping your Windows machine 4 times using the same command as
before.
• The ping requests will now fail because you blocked all inbound
ICMP requests at the firewall.
Section 10.2.3:
Proxy Servers
 Proxy Server
• A proxy server is a program or device that protects &
improves access to a site for users on a network.
• It creates a barrier between the local area network and
the Internet.
– It prevents direct communication between a client on the
network and the server on the Internet.
– It also serves as a go-between between the network client
and Internet-based server.
– No external user can see your network.
• Only the IP address of proxy server is visible.
 How Proxy Servers Work

• The user tries to access a site on the internet by

sending a request to the proxy server.
• The proxy server receives the request and checks its
rules to see if the user is allowed to go to that site for
desired reason (http, ftp, ssh, etc.).
– If not, the user request is redirected to a page in the
proxy server letting the user know the request to access
that site has been denied.
 How Proxy Servers Work
(continued)
• If site is not blocked, the proxy server checks
its cache to see if it already has the page in its
cache.
– If the proxy server has the page, it sends the
page to the user (speeds access to page).
– If the proxy server doesn’t have page, it is the
one that accesses the internet, retrieves the
page content, then delivers it to user.
Example of a Proxy
Server Denial Page
 Popular Uses for Proxy
Servers
• Private & anonymous internet access
– Cookies, scripts, etc., can be blocked.
• Track Internet usage by employees
• IP hiding (from malicious purposes)
• Filtering tool
– Inappropriate requests or requests for which the user
does not have access are not answered.
– Communication is not blocked, just redirected.

Perform Network Address
Proxy Server
Connects to, responds to, and
receives traffic from the Internet,
acting on behalf of the client
computer.
Operates on Layer 4 (Transport)
or Layer 5 (Application) of the
TCP/IP protocol stack.
Proxy Servers Do NOT
Translation (NAT)
Network Address Translation (NAT)
Transparently changes the
origination address of traffic
coming through it before passing
it to the internet.
Operates on Layer 3 (Network) of
the TCP/IP protocol stack.
 Proxy Servers Are
NOT Firewalls
Basis for
Firewall Proxy Server
Comparison
Monitors & filters the Establishes connection
Basic incoming & outgoing between the network client
traffic in the local network and the external server
Client-side requests for the
Filters IP packets
connection
Network & transport layer
Involves data (TCP/UDP and IP)
Application layer data
 Where are Proxy Servers
Installed?
• Near the perimeter of the network
• Positioned to control all traffic in & out of the
user network
• If organization has a web server that anyone
can access from the Internet, it is located
outside of portion of network controlled by
proxy server
 Perimeter Network/ Internet
Demilitarized Zone
Intranet (DMZ)
Internal Servers Public Servers Proxy
(File share, (Web, mail, etc.) Server
databases, etc.)

LAN
Border
Gateway
Router
Section 10.2.4:
Intrusion Detection
Systems (IDS) &
Intrusion Prevention
Systems (IPS)
 Intrusion Detection System
(IDS)/Intrusion Prevention
System (IPS)
• IDSs & IPSs are similar to a burglar alarm.
• They are both a type of software designed
to automatically caution administrators
when anyone is trying to breach through
the system using malicious activities.
– They detect the presence of any unwanted
intervention & alert the system
 IDS vs. IPS

IDS IPS
● Detects potential intrusions & ● Detects potential intrusions &
alerts the system alerts the system
administrator administrator
● Does not do anything to ● Takes action to stop an
stop an attack that is in attack
progress ○ Resets a suspicious
connection
○ Blocks a suspicious IP
address
 Typical Features of an IDS
or IPS
• Monitor & analyze user & system activities
• Perform auditing of system files & other
configurations, and the operating system
• Assess the integrity of system and data files
• Conduct analysis of patterns based on known
attacks
• Detect errors in system configuration
• Detect & caution if system is in danger
• An IPS will also try to stop the attack
 Advantages of an IDS/IPS
• The network or computer is constantly monitored for any invasion or
attack.
• The system can be modified & changed according to the needs of the
client & can help outside & inner threats to the system & network.
• It can effectively prevent any damage to the network.
• It provides user friendly interface which allows easy security
management.
• Any alterations to files & directories on the system can be easily
detected & reported.
 Signature-Based IDS/IPS
• Works on principle of
matching
• Data is analyzed & compared
with signature of known
attacks
– Advantage: it has more
accuracy & standard alarms
understood by user.
– Disadvantage: it won’t
detect new type of attack if
it doesn’t match signature
in database. BUS6302.64, 74, 83
 Anomaly-Based IDS/IPS
• Also known as statistical or heuristic IDSs
• Builds statistical model of normal network
traffic (needs time to build this model)
– Bandwidth used
– Protocols defined for traffic
– Ports & devices that are part of the network
• Monitors network traffic & compares it to
statistical model
– Administrator alerted if anomaly or
discrepancy is detected
– Advantage: can detect new & unique attacks
BUS6302.64, 74, 83
 Where are IDS’s/IPS’s
Installed?
• Network-Based
– Installed on perimeter of the network
• First device that sees incoming packets
• Last device that sees outgoing packets
– Large organizations often outsource this to third party vendors
• They have better visibility of attacks happening
• Have a scale advantage on tuning & response
• Have ability to update signature files on all clients at once
• Host-Based
– Usually only installed on specific high-value servers
– Monitors the operating system of host
 Where are IDS’s
Installed?
Perimeter Network/
Internal Servers Public Servers Proxy
Demilitarized Zone Internet
(File share, (Web, mail, etc.) Server (DMZ)
Intranet databases, etc.)

LAN
Border
Gateway
Router
The IDS receives copy
of every packet coming
into the network.
Intrusion
Packets still deliver in Detection
the network. System
(IDS) BUS6302.64, 74, 83
 Where are IPS’s
Installed?
Perimeter Network/
Demilitarized Zone
Internal Servers Internet
(File share, Public Servers Proxy (DMZ)
databases, etc.) (Web, mail, etc.) Server

Intranet

LAN
Border
Intrusion Gateway
The IPS intercepts Prevention Router
every packet coming System
(IPS)
into the network. IPS
blocks packets it
determines to be part
of an attack. BUS6302.64, 74, 83
Section 10.2.5:
Unified Threat
Management (UTM)
Devices
 Unified Threat
Management (UTM) Device
• Appliance that is an all-in-one security device that allows the
network to be managed from one location
• Features normally on a UTM device:
– Anti-virus
– Anti-spyware
– Anti-spam
– Network firewall
– Intrusion detection & protection/prevention
– Content filtering (proxy server)
– Leak prevention
 Unified Threat Management
(UTM) Device (continued)

• Other services that may be on a UTM device:

– Remote routing
– Network Address Translation (NAT)
– Virtual Private Network (VPN) support
 Unified Threat Management
(UTM) Device (continued)
• Advantages
– It reduces number of devices that must be managed.
– Administrators do not have to learn how to use
multiple systems.
– It can be a lower-cost solution.
• Disadvantage:
– It’s a single point of failure or attack.
– If the UTM device gets compromised, all aspects of
network security are compromised.
 Where are UTM’s
Installed?
Perimeter Network/
Demilitarized Zone
Internal Servers Internet
(File share, Public Servers (DMZ)
databases, etc.) (Web, mail, etc.)

Intranet

LAN
The UTM device is performing Border
Unified Gateway
some or all of the following Threat
functions: Router
Management
• Network Firewall (UTM) device
• Proxy Server
• IDS/IPS
• NAT
• Network-Based Antivirus
• Virtual Private Network (VPN)