In the world of network security, we may face any of a number of threats. These may take the form of configuration issues on infrastructure or network-enabled devices, outages of power or communications lines, or more direct threats from attackers. As many people throughout the world are now heavily dependent on computers and networks to conduct business and manage their personal lives, loss of network connectivity and access to the services that depend on these networks can be extremely disruptive, at the least.
In this article, we will discuss some of the mechanisms that are used to protect networks, items of security infrastructure and devices put in place to increase stability and security, and measures taken to protect the traffic moving over these networks. The article may seem a little less technical for the more advanced ethical hacking crowd, but as this column moves forward, a base level of knowledge is a good thing to reinforce before moving on to higher level topics and even a new contest next month (wink wink nod nod).
When planning out how to protect networks and networked resources against the threats that they might face, there are several avenues we can look to. Security can be enhanced by applying proper network design principles and by laying out networks in an inherently secure manner in order to make them more resilient against attacks or in the face technical issues. We can also implement security devices inside and outside of the network to increase the level of security, often making use of devices such as firewalls and intrusion detection systems.
Secure Network Design
Secure network design principles provide us with an excellent mechanism to protect networks from many of the threats that they may face. With a properly designed network, we can prevent some attacks, mitigate other attacks, and, when worse comes to worse, ensure that the network will fail in a controlled manner.
Segmenting a network can go a long way toward helping to protect networks, or at least lessen the severity of the issues when they do occur. A segmented network is divided into multiple smaller networks (generally logical in nature), with each segment separated from the others to varying degrees. The flow of traffic between segments can be controlled, allowing or disallowing traffic based on a variety of factors, or even blocking the traffic entirely, if we so desire. Segmented networks can enjoy a large boost in performance by containing traffic to the segments actually needing to see it, and can also help to localize issues when they do occur. Additionally, network segmentation can help to prevent unauthorized traffic or attack traffic from reaching more sensitive areas of the network.
A design factor that can be of assistance in securing networks is to channel traffic through specific points where we can inspect, filter, and control the traffic, often called choke points. These choke points may be the routers moving traffic from one subnet to another, the firewalls controlling traffic moving within, into, or out of our networks, or proxies filtering traffic for particular applications such as web or email traffic. Choke points can also be a two-edged sword, as intentionally setting up such restrictions can make certain issues worse if network problems occur.
Redundancy can also be a large factor in mitigating certain network issues. Technical problems or attacks can render portions of the network unusable. The failure of network infrastructure devices, such as firewalls or any of a number of other components contributing to the functionality of our networks, may take the network down entirely.
Strong network design usually includes redundancy to compensate for devices failing, loss of connectivity, or attacks causing the failure of components or connectivity. For instance, if a border device is under a Distributed Denial of Service (DDoS) attack, there really are not many measures that will directly stop the attack. We can try to work around the issue by switching to a secondary connection to the internet, route traffic through another device, or attempt to filter the malicious traffic out, until we can come to a better long-term solution.
A firewall is a network component that helps us to maintain control over traffic moving in and out of our networks. A firewall is usually placed at a point on the network where we see a change in the level of trust. We may place a firewall on the boundary between the internal network and the Internet (Figure 1), or we might place firewalls on the internal network to prevent network resources from being accessed by those that are not authorized to do so.
Figure 1 – Firewall
Many firewalls in use today are based around the concept of inspecting the packets coming over the network to decide what traffic should be allowed through. Whether this traffic is allowed or disallowed can be based on a variety of factors, and the process of sorting this out largely depends on the capabilities of the firewall performing the inspection.
Packet Filtering Firewalls
Packet filtering is one of the oldest and most simple firewall technologies. Packet filtering inspects each packet of traffic individually and determines, based on the source and destination IP address, the port number, and the protocol used, whether the traffic will be allowed or not. The possibility exists for certain types of attacks to slip past this type of firewall, as each packet is examined in isolation and not in the context of other packets making up the stream of traffic.
Simple packet filtering is often implemented on a router at the network edge, referred to as a screening router. Screening routers will filter out the low level traffic that is immediately detectable as being undesirable such as Internet packets with an invalid source address (known as a bogon), traffic on disallowed ports, etc. Typically a screening router will sit in front of a more capable firewall. Such screening devices are put in place, so that they can lessen the traffic load that reaches the devices in place behind them.
Stateful Packet Inspection Firewalls
Stateful packet inspection firewalls function on the same general principle as packet filtering firewalls, but they are able to inspect the traffic much more thoroughly. A packet filtering firewall inspects individual packets outside of context of other related packets. Stateful firewalls are able to track all of the traffic moving over a given connection defined by the source and destination IP addresses and the ports being used. Stateful firewalls use a state table to track the connection state and will only allow traffic that is part of a new or established connection. Most stateful firewalls also have packet filtering capabilities and can combine both methods of controlling traffic.
Next Generation Firewalls
Next generation firewalls add another set of capabilities entirely to firewall technology. These firewalls are capable of analyzing the contents of traffic moving through them, instead of solely inspecting the traffic itself. While packet filtering firewalls and stateful firewalls examine the network traffic itself to filter out attacks and undesirable content, next generation firewalls can actually reassemble the traffic. This enables the firewall to view the content in the same way that the application for which the traffic is destined is able to do.
The benefit to using such technologies is in being able to follow application traffic, even where such traffic may diverge from the expectation of what the traffic should look like. For instance, many applications will now commonly send traffic out over ports 80 (HTTP) and 443 (HTTPS), even if the traffic in question is not actually web traffic. This is usually done to ease the passage of traffic through a variety of devices and environments, as web traffic is almost always allowed to go through. With a next generation firewall, we can specifically watch for other applications such as Skype, streaming video or audio, game traffic, and so on that are using non-standard ports, and allow or disallow this traffic by application in addition to examining the parameters of the connection.
Many next generation devices can even work in conjunction with directory service tools such as Microsoft’s Active Directory and regulate traffic by individual user. We could set up a firewall rule allowing web traffic for the users in our back office group, while disallowing the same traffic to users in our manufacturing group, or even construct a very complex rule based on the user, application, ports used, time of day, etc.
Although this technology does have great promise for exercising a much more granular level of control over traffic and blocking considerably more complex attacks, the question of privacy is also raised. In theory, a person viewing the output of a next generation firewall could read every email, view web pages exactly as the users saw them, and listen in on IM conversations and other means of communication.
Application Proxy Servers
Proxy servers are a highly specialized subset of firewall technologies. These devices can enhance security and provide a performance boost for the application or applications that they support, usually email or web browsing. Proxy servers can also serve as a choke point, as we discussed earlier when covering network design, in order to enable the filtering of traffic for attacks or undesirable content. Proxies also enable us to log traffic for future inspection and serve to provide a layer of anonymity for the devices utilizing them, as they usually display only a single external source for requests that are passed on to their destinations. Proxy servers are very common in the business world primarily due to the filtering and logging abilities they provide.
A DMZ (DeMilitarized Zone) is a combination of network design and protective device components, usually a firewall. As we discussed earlier when covering network design, we can usually increase the level of security on networks by properly segmenting them. Some systems must be exposed to external networks in order for them to function. This is often the case with mail and web servers. As such devices are directly exposed to the Internet, we need to take steps to ensure their security and the security of the devices on the network with which they communicate. This is usually done by placing a protective layer between these devices and the Internet and another between the internal network and the device (Figure 2).
Figure 2 – DMZ
This design enables us to restrict the traffic that can reach the server. In the case of our mail server example, we might restrict access into the DMZ to traffic destined for the common mail server ports, 143 for Internet Message Access Protocol (IMAP) and 25 for Simple Message Transfer Protocol (SMTP). Restricting traffic in such a manner considerably decreases the available routes that an attacker might use to compromise the device in question.
Network Intrusion Detection and Prevention
Intrusion Detection Systems (IDSs) are devices that are used to monitor the networks, hosts, or applications at which they are directed for types of activity indicating attacks. Multiple flavors of IDS exist including Host-based Intrusion Detection Systems (HIDS), Network-based Intrusion Detection Systems (NIDS), and Application Protocol-based Intrusion Detection Systems (APIDS). The particularly interesting variety of IDS for this discussion is the NIDS.
NIDS will typically be placed on the network in a location where they can monitor traffic, but they also need to be positioned so not overloaded with extraneous traffic. Positioning a NIDS behind another filtering device such as a firewall (Figure 3) can eliminate some of the traffic the NIDS will need to inspect, greatly reducing the load on the device overall. As a NIDS will examine a large amount of traffic on a typical network, these devices usually do only a relatively high-level inspection to determine whether the traffic being inspected is problematic or not. A NIDS may miss some types of attacks, particularly those specifically crafted to pass through such inspections.
Figure 3 – NIDS
Intrusion Protection Systems (IPSs) serve as a complementary component to IDSs. Where the IDS can only issue an alert when undesirable or unusual traffic is detected, the IPS can actually take direct action to do something about the issue, generally by rejecting or dropping the traffic in question. This capability requires the IPS to be placed in-line where traffic being monitored is moving (Figure 3). We will usually find an IDS on the same hardware and integrated with an IPS. Such a device is generally referred to as an IDS/IPS.
Protecting Data in Motion
Protecting networks from intrusion is a large concern, but we also need to protect the traffic moving over the network from those that might misuse it. Following the idea of defense-in-depth, we want to put multiple layers of security in place. Even when we are in a secure environment, we might be subjected to a variety of attacks, even from those within our own organization. We would be foolish to not put security measures in place to mitigate these types of issues.
One of the major concerns when we are sending data over a network is having the data intercepted by someone unauthorized to view it. Many networks are available today in offices, hotels, restaurants, and a variety of other places, and the opportunity to expose sensitive data by accident or through ignorance is huge. If we use applications and protocols that do not communicate in a secure fashion, the possibility exists for anyone taking the trouble to eavesdrop on the traffic to easily collect login credentials, credit card numbers, banking information, and host of other data.
Virtual Private Networks (VPNs) provide a solution to the problem of needing to securely send traffic over unsecure or untrusted networks. A VPN connection is an encrypted connection between two network points. Such connections usually consist of a VPN client application on one end and a VPN concentrator on the other end. The client authenticates to the VPN concentrator, usually over the internet, and after the connection has been established all traffic sent from and to the client travels through the encrypted connection.
In the world of business, VPNs are used to enable remote users to connect to the internal network of an organization, or to connect two networks together in a secure manner. When a VPN connection has been established, the client is able to function as though they were connected directly to the remote network. This is very useful as the remote worker has a much greater level of access to the network and associated resources than they would normally have when they are outside of the network boundaries.
VPNs are also used to protect traffic routed over untrusted or public connections by individual consumers. Many companies sell these services to the public for exactly such purposes, enabling users to protect their traffic from being logged by ISPs, from being intercepted by others on the same network, or to alter their apparent geographical location in order to avoid blocking based on the user’s physical location.
VPS services are also popular with consumers that make use of peer-to-peer (P2P) file sharing services. This type of activity is often monitored by ISPs and organizations such as the Recording Industry Association of America (RIAA) in order to harass and prosecute those engaged in illegal file sharing. VPNs render both the traffic and real IP addresses of those taking part in P2P file sharing much more difficult to positively associate with the individual in question.
No Magic Bullet in Network Security
We have discussed a number of technologies that can be used in the name of network security. While these are very useful tools for protecting networks, it is important to realize that none of these measures constitutes a magic bullet for network security.
As we discussed earlier, to ensure a reasonable level of security, we need to employ the concept of defense-in-depth and place as many layers of protection as is reasonable between our important assets and the attacker or issue. In the case of the technologies we have already discussed, such layers might include a screening router, DMZ, firewall, and IDS/IPS (Figure 4).
Figure 4 – Defense-in-Depth
We will see something similar in place on a multitude of networks, but this still does not represent a complete set of protections. To avoid the crunchy on the outside and gooey in the middle model of security we see if all of our efforts focus on the network borders, security measures often need to involve additional layers of technical security, and additionally, need to go beyond the strictly technical.
In an ideal world, we would want to see additional network segmentation inside the network borders with accompanying firewalls and IDS/IPS devices for each segment, thus dividing the network into zones based on the required level of security for the devices in each zone. Beyond this, we might also include security measures such as software firewalls on individual hosts, host-based IDS/IPS on each system, and so on. Beyond the technical measures, we also need monitoring for the both the environment in general and for specific items such as logs, audit processes, security awareness training, and any of a number of other non-technical security measures, with the specific configuration depending on the environment in question.
One of the more important realizations in network security is that this is not the stopping place. Firewalls, IDS/IPSs, proxies, and the rest of the litany of security devices are only the tiniest point sticking up on the security iceberg. Without the backing of the other components in a good security program, such security devices are of limited usefulness and, worse yet, provide us with a false sense of security.
And for the budding pen testers out there, you need to know this stuff in and out. Not only is it good to know what the good network administrators do, but you need to understand when these security measures are missing. That will allow you to better penetrate your clients’ network and also know what to recommend when remediating their issues.
Dr. Jason Andress (ISSAP, CISSP, GPEN, CEH) is a seasoned security professional with a depth of experience in both the academic and business worlds. In his present and previous roles, he has provided information security expertise to a variety of companies operating globally. He has taught undergraduate and graduate security courses since 2005 and conducts research in the area of data protection. He has written several books and publications covering topics including data security, network security, penetration testing, and digital forensics.Tags: 101networktutorial