OCTOBER 2023

SECURITY
ARCHITECTURE
Barbara Krašovec
 TABLE
of contents

1. Fundamental security principles 5. Cybersecurity programme (CSP)

2. Skills to be a security architect 6. Security controls

3. How to design secure infrastructure 7. Physical security

4. Security standards and frameworks 8. Network security

Security Architecture

Security principles, methods and models

designed to keep your infrastructure safe,
security design that addresses potential
risks,
overall system required to protect your
infrastructure,
security controls, policies, procedures, and
guidelines.
building security into system design,
implementation and deployment.
 Traditional vs defensible approach
Traditional security architecture
The focus is on hardening systems against potential
risks and on perimeter-based network security.
“Castle and moat model*” - the objective is to keep
the intruders out, and the supposition that
everything inside the network is safe.
Defensible security architecture
Ongoing process of adapting security controls and
procedures, based on the current risks and threats.
It is based on the implementation of fundamental
security principles such as zero trust. It is about the
design of infrastructure and applications resilient
under attack

Trusted

Untrusted

*"Castle-and-moat" - network design where the organization's

network is seen as a castle and the network perimeter as a
moat. Once the drawbridge is lowered and someone crosses it,
they have free rein inside the castle grounds. Image source: https://www.compact.nl/articles/zero-trust-beyond-the-hype/

Image source: https://www.clouddirect.net/a-beginners-guide-to-zero-trust/t

 OBJECTIVES

IDENTIFY
RECOVER
Understand the system and its
Update security policies, and
operation, the context and
procedures, and prepare RECOVER
potential risks.
guidelines, and documentation. IDENTIFY

SECURITY
PREVENT
RESPOND RESPOND DESIGN
Apply security controls to
Respond to security incident, PREVENT prevent the risk. Harden and
investigate system, run analysis, isolate systems.
and inform stakeholders.
DETECT
DETECT
Provide continuous monitoring
and logging to detect anomalies.
RISK - Focus of security
Ingredients of Happiness
Impact

Likelihood = Threat x Vulnerability

RISK = Likelihood x Impact
RISK

Vulnerability Threat

Security is about managing risk to the critical assets.

Risk is the likelihood of a threat touching a
vulnerability in the system.
The key is understanding what is critical and high risk
to your organisation and how to reduce it.
 Threats
Non-actor driven Actor driven
Usually unintentional, a result of negative outcomes Usually deliberate/intentional, caused by deliberate
from operations. Caused by: actions from actors/groups.
natural disaster
errors in systems (bugs)
human error (accidents, negligence)

Threat modelling
Strategically thinking about what can go wrong.

IDENTIFY
SET OBJECTIVES PLAN MITIGATE AUDIT
THREATS
What do we want to What are we How to prevent Did we succed in
What can go
accomplish? deploying? threats? previous steps?
wrong?
 FUNDAMENTAL SECURITY
PRINCIPLES
Defence-in-depth Zero trust Least privileges Separation of CIA triad
duties

Multiple layers of No person, device or Only services and people SPOC - no single point of Cybersecurity is the
protection, if a level of service can automatically that need permissions, control, a single person protection of
protection fails, the be trusted. will get them. cannot do a compromise. Confidentiality, Integrity
subsequent level will and Availability of
prevent an attack. information in the
system.
Defence-in-depth
Any layer of
protection might fail
Integration of defence-in-depth means that multiple
levels of protection must be deployed and different
types of security controls (organisational, technical
etc.)
A single magical solution doesn’t exist.
An example: MFA + patches + firewall + IDS +
automatic penetration tests + data encryption
 Zero trust
No asset or user is trusted.

You don’t automatically believe everything inside your firewall can be trusted.
All users should be authenticated (in or outside of an organisation network) - MFA if
possible.
Key principles: continuous verification, minimising the impact of a compromise if it
occurs, and granting access only if it is really needed.
The focus is on protecting resources, not network segments
See NIST SP 800-207: https://csrc.nist.gov/pubs/sp/800/207/final
 Least privilege
The principle of least
privilege (POLP)
Access rights are not permanent. access means
Revise assigned privileges regularly.
granting a minimum
Hardening hosts is part of this approach
level of access rights
too: delete default accounts, and
to users and services
uninstall/disable services that are installed
to perform their
by default but not needed.
Don’t give users privileges on a “just-in-
jobs.
case” you need them basis.
 Separation of duties
No single point of control

No user should be given enough privileges to misuse the system.

Security measures to prevent fraud, misuse of information, and error.
SOD principle can be implemented by defining roles, by enforcing controls of
access, by two-person rule etc.
Example: two signatures required for a bank transaction, door with two locks and
single key for each lock, separate action in separate location...
 CIA triad
CONFIDENTIALITY: Only authorised users should
be able to access the information
INTEGRITY: Make sure that data has not been
modified, and that it is accurate.
AVAILABILITY: Information should be available
when required.

This concept is part of ISO 27001, a global standard for

information security.

:
 QUIZ

Is unauthorised access to the information loss of

integrity
availability
confidentiality

Web server is down when trying to access a website. Is this the loss of:
integrity
availability
confidentiality

To access her mailbox, Alice has to use the company’s VPN and log in with her
username and password and OTP. Is this implementation of:
defence-in-depth principle
zero trust principle
separation of duties principle
 Security architect
Security architect works to design, build, test, and implement security systems withing an organisation.

1 3
Define objectives Create security solution architecture
Based on risk assessment, security architect Development of Security Solution Architecture
defines the objectives of the information system.

2 4
Create architecture plan
Preparation of reference architecture, definition of
the approach and required security controls
(topology diagram, definition of processes etc.)
Detect anomalies and revise
Monitor the system, audit it, and review the
procedures, policies, and controls. Based on the
results, revise the architecture framework and
security controls.
Role of security architect Core tasks

Develop security design for systems and

networks, taking into account the
fundamental security principles and
objectives of the organisation.
Define the scope of the information system, its
location, required services and what kind of
data will be processed.
Prepare security policies and procedures.
Prepare documentation on assets, risk
assessment and treatment, vulnerability
management etc.
Run risk assessment to identify critical
processes and services and apply security
controls that will reduce the risk.
Implement the information system.
Perform security reviews and audits.
Ensure staff training and security awareness.
Monitor the system and detect anomalies.
Review and revise.

How to design
security
architecture
Security should be included in
the process from start to finish,
from design to production.
You cannot do security when
the service is in production, as
you cannot build an earthquake
proof builing after it is already
built.
Use security principles and security
1
frameworks
Use visual charts to communicate info
more effectively.
Run risk assessment
2
Understand how a system works and how
it can fail, what are the critical services,
what is the highest risk, what are the
threats.
Prepare policies and system design
Based on the risk assessment, prepare
3
security controls, policies, procedures.
Implement and review
Prepare the system, implement it. After
the implementation, monitor the system
4 to detect anomalies and prevent
cybersecurity attacks. Constantly improve
the procedures and controls.
 Security models

CIA TRIAD CISCO PPDIOO PDCA

Confidentiality, Integrity and Repetitive four stage model Plan - do

Prepare - Plan - Design - Implement -
Availability as three crucial - check - act for continuous
Operate - Optimise
components of security improvement, considered as the
basis for quality control.
The basis is lifecycle approach to
Also called Deming wheel or
network design that improves
Shewhard cycle.
business agility and network
availability.
 Security design priciples
The context: understand the components of your system, and its objectives, address
shortcomings, and separate responsibilities, and understand the threat model.
Assess the risk to the organisation.
Identify the legal, regulatory, and contractual requirements your organisation must comply
with.
Design system: network segments, services, communication channels, authN and authZ
options.
Identify critical services and sensitive data.
Provide mechanisms for compromise detection (collect logs and monitor events).
Reduce attack surface, and reduce the impact of the compromise and failure.
Provide incident response plan.
CYBERSECURITY
PROGRAMME
incorporates strategy of an organisation,
organisational policies, standards, how-tos,
procedures
based on experience, industry standards,
regulations, guidelines
built with the help of a security framework,
which is adapted to an organisation
Following a security framework is not enough, a
defensive strategy is needed to implement CSP
A DEFENSIVE STRATEGY is a plan to achieve
organisational security objectives, based on risk
assessment, identification of cyber threats,
organisation’s assets, security controls, detection and
incident response procedures etc.
Benefits of CSF:
Specifically describes current and targeted
cybersecurity posture
identifies security gaps
identifies how to improve the security
demonstrates alignment with standards and best
practices
addresses the organisation‘s security risks and
their mitigation
Designs and implements security controls
 Security frameworks

A security framework is a set of policies, guidelines, and best

practices designed to manage an organization’s information
security risks. As the name suggests, frameworks provide the
supporting structure needed to protect internal data against
cyber threats and vulnerabilities. (source: OneTrust)

To implement security and

develop cybersecurity
programme.
When should an organisation implement Cybersecurity Programme?

when you have unclear roles and responsibilities for

information systems and data,
when you lack of work procedures,
when information is stored all over the organisation,
when dealing with low security awareness,
when no incident management procedures are in place
when there is no risk management defined,
when you lack formal policies and procedures.
 ISO 27000 series
also known as the 'ISMS Family of Standards' or 'ISO27K'
for short
international standard for information security, ISO27001 Specification of Information
cybersecurity and protection. Updated in 02/2022. Security Management System (ISMS)
more than 100k organisation worldwide certified ISO27002 Information security controls
organisation has to formalise procedures, security ISO27005 Iso standard for information
security risk management
policies, has risk assessment plan

https://www.iso.org/standards.html
 ISO 27001
Specification of Information Security Management System
(ISMS)
Security controls structure: Organisational, physical, and
technological controls
Controls’ attributes are either Preventive, Detective or
Corrective.
The new version released in 2022 - includes new security
controls (threat intelligence, security for use of cloud
services, business continuity, physical security monitoring,
data deletion/masking and leaking prevention, web filtering,
configuration management and secure coding. Source: Advisera

93 security controls (before 114), some of them were

merged
ISO27k CHECKLIST
 Diamond model
The Diamond Model of Intrusion Analysis is a
framework for investigating and analyzing
cybersecurity incidents. Intelligence analysts
and computer security researchers developed
it to help understand and characterize cyber-
attacks. Valuable model for threat
intelligence.

adversary - what is the motive, why did the attack happen?

infrastructure: location of the attacker, the methods used to attack the target system, and the tools and
techniques employed.
victim = target of the attack, which was the security gap and what the potential impact of the attack on
the organisation.
capabilities: attacker’s methods and techniques, which vulnerability he/she exploited, which malware was
installed, how sophisticated the attack
NIST CSF
NIST SP 800 by the National
Institute for Standards and
Technology
Currently version 1.1. is in place, but
a Draft for CSF 2.0 Core is available
and you can provide comments
until Nov 2023
Based on 5 pillars: identify, protect,
detect, respond, recover

https://www.nist.gov/itl/smallbusinesscyber/planning-guides/nist-cybersecurity-framework
 NIST CSF
NIST helps you answer the following questions:
How to categorise and protect your data?
How to conduct risk assessments?
How to prepare a security plan?
How to implement security controls?
How to measure performance and efficiency?
How to process data?

https://www.nist.gov/cybersecurity
 CIS controls
known also as Critical Security Controls,
developed by Center for Internet security,
contain a set of actions for system cyber defense.
CIS controls are used to identify common exploits,
they provide recommendations on how to defend (safeguards),
are measurable,
each safeguard has a description (for small office, for large organization with IT, for
organization with security expert group).

See: https://www.cisecurity.org/
CIS controls

Source: https://www.sans.org/blog/cis-controls-v8
 CIS benchmarks
How to translate a CIS safeguard
to action - configuration guidelines

more than 100 benchmarks/saveguards available, for network devices, operating

systems, software packages, cloud providers etc.
more than 25 vendor products included, such as Cisco, F5, Juniper.
many vendors implement CIS benchmarks (such as Nessus, OpenVAS etc.).
See: https://learn.cisecurity.org/benchmarks
CIS - network
 ISA
Adoption of the NIST standards for the operating technologies (OT)
the organisation has to formalise procedures and security policies, has a risk
assessment plan
policies and practices that are suitable for industrial automated control systems
over 150 standards
ISA standards committees produce two types of related documents:
a. recommended practices (RP) with suggestions for applying a standard
b. technical reports (TR) as guidance for understanding a topic/standard.

See: https://www.isa.org/standards-and-publications/isa-standards
ISA
Cyber Security Kill Chain
Cyber Security Kill Chain Intrustion model
explains the typical procedure that hackers
take when performing a successful cyber
attack. Developed by Lockheed Martin and
is derived from military attack models

This model is implemented by Mittre Att&ck and has 7

steps:
1. reconnaissance
2. weaponisation
3. delivery
4. exploit
5. installation
6. C2 (command and control)
7. Actions

Source: www.csoonline.com
 Mittre Att&ck
security framework,
KB for cyber adversary behaviour based on real-world observations,
used by cybersecurity professionals to understand, analyze, and defend against cyber threats,
useful to plan for security improvements,
useful to understand security risks against known adversary behaviour.

KB organised into a matrix of tactics and techniques (goals and methodology):

tactics = initial access, execution, persistence, exfiltration
techniques: phishing, scripting, keys, encryption
Mittre Att&ck
 COBIT
Control Objectives for Information and Related Technologies
good-practice framework made by ISACA
suitable for enterprises
See: https://www.isaca.org/resources/cobit
 Information security related regulations in EU

The European General Data Protection Regulation (GDPR)

Digital future strategy
The Network and Information Systems Directive (NIS Directive)
Revision of the NIS Directive (New NIS2 Directive)
The EU Cybersecurity Act
The EU-Wide Cybersecurity Certification Scheme

A collection of all EC standards can be found here (=! regulation):

https://ec.europa.eu/info/files/security-standards-information-systems_en
 Establish security policies

How to put policies in place?

Use the documentation and templates, that are already available:

AARC Project: https://aarc-project.eu/policies/policy-development-kit/
WISE: https://wise-community.org/published_documents
 QUIZ

What kind of skills does a security architect need?

technical skills
management skills
risk assessment skills
communication skills
all above

Which security framework is most suitable for OT systems?

ISA
NIST CSF
COBIT

Which of the following security controls are added to the new

ISO27001:2022 standard?
Configuration management
Physical security
Human resource security
 Physical security
Physical security is the protection of
personnel, hardware, software, networks and Is important equipment vulnerable?
data from physical actions and events that Where can the equipment be used?
could cause serious loss or damage to an Who is responsible for maintenance?
enterprise, agency or institution. This Are policies in place for using equipment
includes protection from fire, flood, natural
disasters, burglary, theft, vandalism and
that leaves the premises?
terrorism. (definition by Techtarget)
Also EC published its standard on physical and
ISO27001:2022 includes physical and environmental security, with the same focus as
environmental security controls to safeguard
ISO27k. Download here:
information systems from physical threats. It
https://commission.europa.eu/select-language?
expands on the control related to safe areas to
cloud environments. destination=/media/6775
 Physical security - threats
What are the threats that physical security controls should tackle:

Fire,
water damage, tempering,
destruction of equipment, disclosure,
earthquakes, unauthorised use,
failure of air conditioning, corruption of stored data
loss of power supply, theft
remote spying, etc.
eavesdropping,
 Physical security by ISO27k
ISO27001 includes the following categories of physical and environmental security controls:

Secure areas (including virtual/cloud): walls, card-controlled entry gates, physical security for offices, data
centres, protection against flood, fire, and earthquake, access control for secure areas, IAM etc.
Physical entry controls: CCTV surveillance, security guards, protective barriers, locks, perimeter intrusion
detection, policy on visitor management process etc.
Equipment security: protected from power failures, unauthorised usage, fire protection, clear policies for
removable storage media, and policies on data removal that are saved on the equipment.
Reuse of equipment: clear policy on data erasure and destruction
Protection against environmental threats: controls for monitoring environmental conditions, such as
temperature, humidity, air quality
 Hardware Security
Hardware security includes:
secure hardware design,
access controls,
secure procurement process,
Hardware must be protected from physical and environmental threats
secure supply chain (shipping,
and from opportunities for unauthorised access.
credentialing of all involved
participants etc.), Place sensitive equipment in a well-protected zone
maintenance, Monitor and restrict access to the equipment, both physical access
security of hardware off- and software-based access.
premises. Disable unused interfaces (physically, in BIOS, from OS) or
configure them in a restrictive manner, e.g. USB device whitelisting.
Power and communication cables must be protected
 QUIZ

Which is NOT part of ISO27k on physical security?

secure areas
physical access controls
reuse of equipment
fire procedure

`Is the following true or false?

Cloud equipment was only added to ISO27k standard in the
2022 release?
EC has no standards or guidelines on physical security?
Because of the remote work, organisations had to address the
use of equipment off-premises in their policies?
 Network security
Since the network is the attack vector,
Objective of network security is to reduce
monitoring is crucial to detect (attempts
attack surface and provide isolation.
for) compromises

Main problem:
TO GET THE WHOLE PICTURE
many network devices are not kept up
Conceptual network design includes the identification of
to date
all core components of the network architecture, to have
an overview of what the purpose of the network is. many network devices are accessible
from external network
Understanding the threats to your system is crucial. many network devices are accessible
What are the attack methods? And what are the via a password
attacker’s objectives? Where is your critical data? Who network is not segmented, critical
has access to it?
services are not isolated.
 Network design
NETWORK TOPOLOGY Network segmentation means that we split the
PHYSICAL: how the nework is connected, how the data flows network into multiple segments/sub-networks by
LOGICAL: how services communicate, which protocols are used. using firewalls, VLANs, access controls or SDN.

Detect what you cannot

How to segregate?
prevent.
follow the least privilege rule and only provide
access to the system when it is necessary
NETWORK DESIGN CONSIDERATIONS
define network segments based on the location of
sensitive data and critical services
Network segmentation
KISS principle = keep it simple stupid
Secure channels (VPN)
Guests should have access to the Internet, but not
Network access control
Security policy enforcement
to the internal network
Regulatory compliance Services and desktop users should be in different
CIA triad subnets
 Why segregate?
to ensure isolation
to improve performance (less congestion in network traffic
to reduce attack surface
to prevent single point of failure
to improve network monitoring
DO NOT SEGREGATE TOO MUCH

Multiple segments lead to:

additional costs
more chances for misconfigurations
increased complexity
multiple access policies to maintain

https://www.zenarmor.com/docs/network-basics/network-segmentation
Common network segments
PUBLIC NETWORK - Internet, not under control of an
organisation
DMZ NETWORK - semi-public network, services that need
access to the internet (web, mail, DNS etc.)
MIDDLEWARE NETWORK - used to separate DMZ from
private network (filtered access, proxy servers),
PRIVATE NETWORK - internal services (sensitive information)
- only access from middleware network is possible

Firewall usually placed between public and other networks.

Also between DMZ and private network and also between
trusted zones.
 Basics for network design
Allow internal users to access the internet,
services that require Internet access should be limited,
access to the internal services should be prohibited from the public networks, it should be
restricted to DMZ,
resources in public networks cannot be trusted,
a system that is visible from the Internet cannot contain sensitive data, sensitive services
need to be in a private network,
DMZ communicates with private networks via proxy,
apply zero trust principle in all segments,
apply defence-in-depth (segmentation + firewall(s) + IDS + attack mitigation software etc.),
databases and storage systems should not be accessible from the public internet.
 Network attacks against devices
Attacks against
Attacks against routers: switches:
How to defend your network against these
DoS MAC Flooding
Brute force attacks?
DDoS
Password Attack
packet sniffing Shut down/disable unused services and ports.
DHCP Spoofing
packet misrouting Use strong passwords and a well-defined
and Starvation
SYN flood password change policy. If possible, disable
STP Attacks
password login completely.
TCP reset attack VLAN hopping
Control physical access to devices.
Insider threat Telnet attack
Use tools for automatic configuration, this ensures
CDP Manipulation a backup of your configuration.
Patch devices for security issues.
Implement defense-in-depth approach.
Perform security auditing.
How to prevent attacks from network?
Account lock-out,
configure rate-limiting,
use the deny rule by default and only open the ports that are really necessary,
use packet filtering (looks into packet header and checks source and destination IP and port),
use stateful packet inspection (open header/envelope to see the context),
use proxies to ensure another layer of protection (MIM inspection),
use NAT for internal networks (local IPs that are not routable across the internet),
enable IP source verification (customer cannot spoof its IP address),
LPTS = local packet transport service - configure allowed settings (e.g. number of allowed ICMP packets,
number of TCP sessions etc.,
provide continuous monitoring,
defence-in-depth (multiple layers of security),
use VPN - it provides a secure channel over an untrusted network, encrypted packets (broad vs. application-
specific VPN),
DDoS protection (such as BGP Flowspec, which blocks ports that are part of a DDoS attack automatically).
use IDS/IPS.
 Network security devices
PREVENTION
Firewall - as a hardware appliance, as software inserted into a network device for other
purposes, or software firewall.
hw option is a router with a filtering ruleset, it increases privacy and reduces risks,
enforces the organisation’s security policy
IPS - Intrusion protection system

DETECTION
IDS - Intrusion detection system
 Firewall
Benefits Shortcomings
it enforces organisation’s security policy they cannot prevent attacks on
it protects systems from incoming and applications
outgoing attacks encrypted traffic (e.g. VPN) might bypass
ingress and egress traffic filtering it
filtering communication based on content organisation sees firewall as sufficient
it encrypts communication security control
in stores logs about successful and if the traditional approach is in use, they
blocked traffic represent a single point of failure
in increases privacy

A firewall is just one of the technological security controls. To be secure, an organisation has to
apply a defence-in-depth principle, implementing multi-layer security. If one control fails, another
one is still in place to prevent a compromise.
 Intrusion detection system
NIDS = network IDS VARIANTS of
serves as a detection system, it checks network traffic DETECTION:
IDS can be seen as an alarm system, not as a firewall anomaly detection (relies on AI, it
reports attacks against monitored systems understands what normal traffic is and
reports anomalies)
the alerts that are sent, are revised by human
signature-based detection (detection of bad
it is deployed as a passive sniffer, captures traffic, detects patterns, malware) - has a db of patterns
events of interest and sends alerts reputation-based detection (reports
it is placed in different points in the network security events based on a reputation score

IDS SOFTWARE: Also HIDS = host intrusion detection system,

IDS process uses 2 methods of packet
Suricata checks traffic to/from device and local file
inspection:
Snort changes
shallow packet inspection: checks header
Zeek
(is limited)
Security Onion
deep packet inspection: inspection of all
Sguil
fields, including variable-length
Intrusion prevention system
Also HIPS = host intrusion protection
system, stops attacks at the OS level
NIPS = network IPS
IPS SOFTWARE:
serves as a protection system
Cisco IPS
often combined with the NIDS in the same software
Snort
should be used in combination with a firewall and other Fail2ban
security controls Zeek
usually deployed right in front or behind the firewall, if SolarWinds
behind the firewall, it can also check internal traffic
rule-based approach
problem if there are false-positives and stop legitimate
traffic

IPS =! FIREWALL
A firewall allows or denies traffic based on ports or the source/destination
addresses. IPS compares traffic patterns to signatures and allows or drops
packets based on any signature matches found.
How IPS detects threats?
EXAMPLES:
Arbor Edge Defense (AED) is an
inline security appliance deployed
Network Attack
at the network perimeter (i.e.
between the internet router and mitigation software
network firewall).
F5 Silverline DDoS prevention
Radware Defense pro
Usually, physical appliances, deployed
between router and network firewall,
commercial solutions. Prevent DDoS attacks
(blackholes, scrubbing), brute force attacks,
syn flood attacks etc.
 NETWORK SECURITY POLICIES

A network security policy (NSP) is a generic document that outlines rules for
computer network access, determines how policies are enforced and lays out some
of the basic architecture of the company security/ network security environment.
(Redhat)
Useful security policies for your network:
Account Management
policies should be defined because they make us Password policy
aware of how the system normally performs and E-Mail policy
Security Incident Management
what is allowed. Log Management
policies can be enforced by firewalls, proxies, VPN Acceptable Use
Server Security
IDS/IPS, and ACLs on switches/routers, on the
Bring Your Own Device (BYOD) Agreement
application level. Patch Management
Systems Monitoring And Auditing
Remote work policies
Vulnerability Management
Workstation Configuration Security
 IPv6 SECURITY

Organisations are transitioning to IPv6. Security considerations
encompass:
issues due to the IPv6 protocol itself,
o issues due to transition mechanisms, and
o issues due to IPv6 deployment.
IPv6 uses 128-bit internet addresses, it can
support 2^128 internet addresses. The
number of IPv6 addresses is 1028 times
larger than the number of IPv4 addresses

See https://datatracker.ietf.org/doc/html/rfc4942

Internet Society offers links to useful articles and standards:

https://www.internetsociety.org/deploy360/ipv6/security/
 IPv6 SECURITY

IPv6 is not more secure than IPv4 by itself.

Benefits of IPv6:
Auto-configuration of IP-addresses (no more DHCP)
Problems:
Built-in authentication and privacy support (IPsec is
human error (IPv6 hardening not included
part of the protocol suite)
by default, only IPv4)
No more private address collisions
Lack of knowledge and experience about
QoS using the Flow Label field of the IPv6 header
IPv6
Simpler header format
Ineffective Rate Limiting
Better multicast routing
Lack of IPv6 support at ISPs, service
Simplified, more efficient routing
providers and vendors
Flexible options and extensions
a host can have multiple IPv6 addresses
No more NAT (Network Address Translation)
simultaneously, which is unusual in an IPv4 -
> problem for IDS/IPS
IPv6 is often enabled by default, without
knowing
DEFENCE-IN-DEPTH
Encryption in one layer means encryption in all
upper layers.
Encryption
Where can we implement encryption?

Application specific VPN

SFTP, SSH

TLS, SSL

IPSec

PPTP, L2PT, MACSec

OTHER NETWORK SECURITY CONSIDERATIONS

Network security policies Software defined network

01. Policies are a translation of network requirements 03. The objective is to make the network as flexible and
into a set of rules. Policies should be defined, they as agile as a VM. SDN enables micro-segmentation
make us aware of how the system normally performs and decreases the exposure to system attacks.
and what is allowed.

Network access control KISS principle

02. Security mechanisms include limiting physical 04. A too-complex network design will be difficult to
access to devices, security policies, user manage. Find a compromise between the complexity
authentication, device security, firewalls, proxies and and usability.
others.
 Network security tools
Wireshark + tshark - network sniffer
Metasploit - scanners for more than 1500 operations
Traffic sniffers
Snort
Nessus - identifies and corrects faulty updates tcpdump
OpenVAS - checks configuration and basic web flaws Wireshark
Argus - open-source network analysis tool dsniff (for switches)
tcpdump - network sniffer Kismet (for wireless)
nmap
Kali linux - bootable Linux with multiple security and forensics tools
Snort - network intrusion detection and prevention system (traffic analysis)
Suricata - IPS
Netcat - utility that reads/writes data accross TCP/UDP network
connections
nmap
CENTRAL LOGGING
Loki
ELK
rsyslog
syslog-ng
Graylog
Splunk
Logging and monitoring
WHAT TO LOG? Use central logging
normalise and visualise logs
network traffic
analyse daily operations and look into security events
syslog from devices that may be signs of an attack, apply
snmp for network devices countermeasurements
ntp (sync time across entire collect snmp logs, ntp logs and network traffic logs
network) collect syslog from devices
 Network device hardening
CISCO DEVICES:
passwords are not
encrypted by default disable unused ports
ssh version 1 by unused ports can be put in a separate VLAN which is not
default, change to used
version 2 disable unused services (for instance http server is enabled
console password is by default on Cisco devices)
not set, do it use infrastructure ACLs - disable invalid traffic from external
disable telnet (plain network, eg. only allow web traffic for www, block everything
text), only allow ssh else (filter fragments)
acces use port security - port is configured for a specific MAC or
limit access to only certain range is allowed
console limit remote access to console
 QUIZ

Are the following statements true or false?

The objective of network security is to reduce the attack surface.
It is not possible to implement defence-in-depth only on the network layer
NAT should be used for internal networks.
Security of network devices includes primarily physical security, remote access control and
environmental threats.
Cisco devices have SHA256 set as default password encryption.
Port Security feature can protect the switch from MAC flooding attacks and from DDoS.

Which access mode should be disabled on network devices, because it sends username and
password in plain text?

`Name at least three measures that apply to network security?

Explain at least 3 ways for hardening network devices.