Network Security Measures

Network security measures are the security controls you add to your networks to protect
confidentiality, integrity, and availability. These controls continue to evolve, but there is a lot of
fundamental knowledge that readily available. It takes effort to keep attackers out of your
network. Firewalls, proxies, and gateways work toward that end.

It is dangerous to assume that those devices will absolutely keep attackers out of your network.
Hackers eventually find a way in. A well-known hacker, Kevin Mitnick, claims 100%
success when launching penetration testing against companies that have hired him to test their
network security.

There is always a way in. Security requires continued work to learn, evolve, and stay ahead of
the hackers. It is also critical to have incident response plans and teams in place when hackers do
get in.

Firewall

A firewall blocks or allows traffic to pass. The traffic allowed to pass through a firewall is
specified in its configuration based on the type of traffic a business has and needs. The most
important security best practice with a firewall is that it should block all traffic by default. It
should then be configured to allow only specific traffic to known services. The configuration of
the firewall is critical, so the firewall administrator's knowledge is crucial.

Firewalls operate at different layers within the International Standards Organisation Open
System Interconnect (ISO OSI) model. Usually, anything called a firewall lives at layers 2-5. If
the firewall is at layer 7, it is often referred to as a proxy or gateway. The exception is a web
application firewall (WAF), which uses the word firewall and is at layer 7. A firewall analyses
information found at the layer of the OSI model where it works.

Here are a few examples of how a firewall could operate at different layers:

 Layer 2 – data link – it could make a block or forward decision based on the media access
control (MAC) address on the frame.

 Layer 3 – network – it could make a block or forward decision based on the Internet Protocol
(IP) address within the packet.
 Layer 4 – transport – it could make a block or forward decision based on the transmission control
protocol (TCP) port number in the datagram.
 Layer 5 – session – it could make a block or forward decision based on the real-time protocol
(RTP) information.
 Layer 7 – data – it could make a block or forward decision based on application or application
service.
A firewall is configured with a list of rules that are sometimes referred to as policies. The
firewall uses this list of rules to determine what to do with traffic once it arrives at the firewall.
The rules work from a top-down perspective.

The firewall compares the frame or packet it just received to the first rule in the list. If it matches
the traffic type of that rule, it follows the instructions for that rule. A rule could say the traffic
can pass, or that it should be blocked and discarded.

If the frame or packet does not match the first rule, the firewall compares it to the second and so
on. If the traffic does not match one of the explicitly defined rules, the firewall will follow the
final rule which should be to discard the traffic.

Proxy

A proxy firewall lives at layer 7 of the OSI model. When a proxy receives traffic, it processes the
frame or packet up through the layers. For example, if the frame is stripped off at layer 2, the
packet headers are removed at layer 3 and so on until only the data exists at layer 7.

The transport layer security (TLS) connection is terminated at layer 4, and the data is in clear text
within the proxy from that point forward. The proxy then analyses the data being transmitted,
which would have been impossible at lower levels because of the encryption. This enables the
device to analyse a lot more data than a standard firewall. This usually takes more time or
processing power than a firewall, but gives greater control over user traffic.

Gateway

The term gateway has different meanings depending on who you talk to. A gateway was
traditionally a piece of hardware that sat between two networks. The average gateway today has
a firewall element in it. For example, Microsoft Azure has a WAF built into its gateway. So, a
gateway is now debatably a type of firewall.

Intrusion detection & prevention systems

The next concern is to detect intrusions into a network using Intrusion detection systems (IDSs).
These devices are passive. They watch network traffic go by and log suspicious traffic. An IDS
could be on the network or the end device. Depending on where it is, it is called a network-based
IDS (NIDS) or host-based IDS (HIDS).

A NIDS is usually connected to a tap or span port of a switch. This means that traffic is passed
on to its destination without interference, and a copy goes to the span port of the NIDS for
analysis. If it is a HIDS, it resides on the laptop, tablet, server, etc. Most HIDS do not analyse
live traffic, but instead analyse traffic logs after the fact.

At some point, the manufacturers took these devices to the next level. If they can detect an
attack, why not just trash suspicious frames or packets at the device instead of just reporting on
it. This is how Intrusion prevention systems (IPS) came about. IPSs can also be network-based
(NIPS) or host-based (HIPS).
 This is a wonderful idea, but it comes with a downside. The IPS must know what is and is not
good traffic. This can be done with signature files or it can learn.

Virtual Private Network (VPN)

The next concern to address is how to protect data, voice, or video that is transmitted anywhere
someone might be able to eavesdrop. This includes within a corporate or home network and
outside of those networks such as across the internet or on a service provider’s network.

Encryption addresses this concern by making the data unreadable without the key. For data-in-
transit, there are a few options for encryption. They are as follows:

 Secure Socket Layer (SSL)/Transport Layer Security (TLS)

 Secure Shell (SSH)
 Internet Protocol Security (IPsec)

SSL/TLS

SSL/TLS has been in use since 1995 to protect browser-based connections. Netscape invented
SSL. Versions 2.0 and 3.0 were in use until the Internet Engineering Task Force (IETF) adopted
and renamed it. This occurred in 1999 when America Online (AOL) bought Netscape. Now TLS
1.3 (RFC 8446) is the latest version. TLS is not only used for browser-based connections. It is
also used for a user VPN connection to connect to the office.

SSL/TLS is a transport layer protocol that uses TCP port 443 when applied to browser
connections.

SSH

SSH is an encryption method most commonly used for remote login capability. Network
administrators use SSH to remotely login and administer network devices such as routers and
switches. It is generally thought of as a replacement for Telnet, which is a layer 7 remote login
protocol that is not encrypted, although it too can be used for VPN connections. SSH is specified
in IETF RFC 4253. It uses TCP port 22.

IPsec

IPsec is a network layer protocol that provides encryption and integrity checking capability to
any connection type. There are many different IETF RFC documents that specify the different
parts of what is considered IPsec. RFC 6071 offers a roadmap showing how these documents
relate to each other.

IPsec provides two security protocols: authentication header (AH) and encapsulating security
payload (ESP).

 AH is used to provide data origin authentication and integrity. An IPsec implementation does not
have to support AH. AH encrypts the header of the IP packet.
 All IPsec implementations must support ESP, which offers data origin authentication, integrity
and confidentiality. ESP encrypts the payload of the IP packet.

Data leak prevention & digital rights management

Intellectual property (IP) protection continues to be a concern. IP includes manuals, processes,

design documents, research and development data, etc. There are two major issues. The first is
keeping confidential information contained, and the second is ensuring that information can only
be seen by someone you want to see it. Data classification and access control are two of the
many things used to appropriately control access.

Concerns over data flowing out of your business inappropriately can be controlled by data leak
prevention (DLP) technology. It watches for sensitive information in data flows such as emails
or file transfers.

If DLP software sees sensitive information such as a credit card number, it blocks or stops the
transmission. It can also encrypt it if that is a more appropriate action. The question is what your
business wants to control and how it wants the network to respond when the DLP software
detects that data.

DRM uses technology to control access to IP. If you have used Kindle, iTunes, Spotify, Netflix,
or Amazon Prime Video, you have used DRM software. The software enables you to see the
video, read the book, or listen to the music once you have purchased it from the vendor. A
business example is Cisco controlling access to course manuals once the customer purchases a
class.

Javelin and LockLizard are other examples of DRM technology businesses can use to control
content distribution. DRM technology uses access control that governs how long someone can
use the content, if it can be printed, if it can be shared, etc. The parameters are based on the IP
owner’s desires.

Logs, monitoring, and SIEMs

Possibly the most critical security measures a business can put in place involve security issue
detection and correction. The starting point is logging. Virtually all systems on or attached to a
network should generate logs.

A business determines what exactly to log. This could include login attempts, traffic flows,
packets, actions taken, or even every keystroke a user makes. The decision on what to log should
be based on the risk appetite of the business, the sensitivity of the assets and the vulnerabilities of
the systems.