Module 5 - Technical Security Controls
The course is part of this learning path
This course defines the different types of malware and outlines the impact that each one can have on an organization’s computer systems. It also details the different methods through which networks can be accessed, and how the related security risks can be controlled. Finally, it defines what cloud computing is and explains the different deployment models, before looking at the security requirements of an organization’s IT infrastructure and the documentation required to support this.
The objectives of this course are to provide you with and understanding of:
- The different types of malware and the impact each one can have on an organization’s computer systems
- Methods of accessing networks and how related security risks can be controlled
- The security issues related to networking services, including mobile computing, instant messaging and voice over IP
- Cloud computing deployment models and the security implications of cloud services
- The security requirements of an organization’s IT infrastructure and the documentation required to support this
This course is ideal for members of information security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
There are no specific pre-requisites to study this course, however, a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
We welcome all feedback and suggestions - please contact us at firstname.lastname@example.org if you are unsure about where to start or if would like help getting started.
Welcome to this video on networks and communications.
Today, the business world is highly connected; staff, contractors, suppliers and customers can access information from almost any location, and through any platform or device including laptops, tablets and smartphones, accessing networks using Wi-Fi, 3G, 4G or 5G.
The corporate infrastructure might be accessed through an extranet and the organization might have multiple sites, each with their own IT infrastructure. The sites could be connected using an internal Wide Area Network, with each one communicating independently with the internet.
As a result, an organization might support many connections to the outside world, some of which are known, and some are unknown because they’ve been installed without appropriate authorisation.
This video will outline the different methods through which networks can be accessed, and how the related security risks can be controlled.
Let’s start by looking at the three key building blocks of a network.
· A switch connects endpoints to the network so they can communicate with each other. It also has the additional capability of momentarily connecting the sending and receiving devices so that they can use the entire bandwidth of the network without interference.
When they’re deployed properly, switches improve the performance of the network by reducing the collisions which occur when two devices try to communicate on the same channel at the same time.
They have two primary benefits:
- They provide each pair of communicating devices with a fast connection; and
- They segregate the communication so that it doesn’t enter other areas of the network.
A network comprising devices connected by switches is often referred to as a local area network, or LAN.
· Routers are devices that connect two or more networks and filter network traffic so that only the desired information travels between them. For example, routers can be used to regulate the flow of information between internal networks and the Internet.
The portion of a network connected by routers is often referred to as a wide area network, or WAN.
· Most applications that use a network employ a client/server model. Server software running on one device listens for requests from client software running on another device. The client initiates the connection and the server supplies a service to the client.
A proxy acts as the server to the client and the client to the server. In other words, it handles the conversation between the client and the server, and only passes traffic to the server and the client that it considers to be legitimate.
Web proxies are specifically designed to handle web traffic.
Now let’s look at how the network security within an organization can be controlled.
The first stage is to implement a firewall. Firewalls are network devices that isolate and control the flow of traffic between networks of varying trust levels. Generally, they provide security at the network layer rather than the application level; although there are application firewalls.
Firewalls help protect internal networks from the Internet and enforce access policy. They provide comprehensive auditing of the connections that traverse them and allow granular access control.
The output of a firewall log can be treated as an alarm to inform the security team when someone’s doing something or accessing something they shouldn’t. Many firewalls also double up as the endpoint of encrypted Virtual Private Network tunnels or provide the access control mechanisms for remote access users, like home or mobile workers.
Firewalls can provide a range of services to help enforce a corporate security policy, including:
· Intercepting and controlling traffic between networks – acting as a policy enforcement point between secure and unsecure networks;
· Permitting configured applications, for example allowing only web traffic and email to pass to the internal network;
· Limiting the range of hosts that can send and receive traffic. For example, a firewall could be configured to prevent a specific server from connecting to the internet;
· Limiting the types of data passing over the boundary. For example, preventing java applets coming into the network; and
· Providing a centralised audit log of all outbound communications, auditing all connections to external destinations from users.
Three of the common types of firewalls are:
· Packet filtering;
· Proxy servers; and
· Application firewalls.
Most routers can perform stateless packet filtering; the simplest form of firewall. Stateful packet filtering is where the device maintains context about active sessions, using the stated information to control which packets pass through the device. If a packet is received for a connection that hasn’t already been set up, it’s rejected. This means the device understands which connections are currently active.
A device providing stateful packet filtering is considered as a firewall.
A proxy server can either be dedicated hardware or software installed on a general-purpose machine. As we’ve seen, it acts as the client to the server and the server to the client.
Application firewalls understand the application traffic passing through them, so they work at a higher level than packet filtering firewalls. Rather than allowing or blocking connections according to the packet filtering rules, they inspect the traffic to see if it’s a permitted protocol; this is known as a deep packet inspection.
Because the application firewall does more than a simple packet filter, it’s a slower process. However, it does provide a more reliable security filter.
Most firewall architectures involve the creation of a De-Militarized Zone, or DMZ…
…which is a small network segment inserted as a neutral zone between an organization’s private network and an untrusted network, like the Internet.
The DMZ provides secure segregation of networks for services to users, visitors, or partners.
Here, an external webserver is being hosted in the DMZ and users attached to the internet will come through the outer firewall to access this webserver. However, remote users needing access to the internal network have to go through both the outer and inner firewalls.
A simple firewall policy can enable a range of user functions, including:
· External users of the website can be forwarded to the external webserver in the DMZ.
· Email messaging can be permitted in both directions in and out of the corporate network to the Internet.
· Users on the internal network can browse the internet.
· Users on the internal network can browse the external webserver.
Boundary controls can police the traffic coming in and out of an organization and can help stop malicious code being introduced.
Here, you can see a system design which includes boundary controls. It illustrates two additional components in the DMZ; the mail gateway and the web gateway.
These two gateways implement additional security controls and enforce additional policy measures, for example:
· Antivirus scanning to examine web and email traffic, to detect and prevent viruses and other malware from entering the internal network.
· Content filtering to examine traffic and remove unacceptable file types or content, such as prohibited executable code or pornography.
· Whitelists or blacklists to define the websites that internal users can access and those they’re prohibited from.
Cryptography also plays a role in securing and protecting communications traffic. There are four main purposes of cryptography in relation to network security:
· An attacker with a network sniffer or listening equipment can’t see the traffic if it’s encrypted – that helps to maintain confidentiality. Cryptography can be used to prevent usernames and passwords being transmitted in clear text over the network;
· It can detect whether data has been deleted, modified, or additional data has been inserted. However, it can’t prevent data being modified or deleted, it only provides notification that it’s happened;
· It can support user authentication and device authentication. User authentication occurs when the system verifies a claimed identity, for example, if a user logs in with the username of johnsmith and a password of 12345678, the system verifies that they’re the person they claim to be; and
· Providing non-repudiation through digital signatures. Non-repudiation is most commonly used to ensure a sender can’t later deny they sent a message.
A virtual private network – or VPN – is typically used to create a private network over a public network, like the Internet. In effect, a VPN supports a closed community of authorised users.
Most VPNs provide some level of security based on cryptographic separation…
· Confidentiality and integrity of data;
· Network (device) authentication; and.
· User authentication.
The most common protocol for providing VPN security these days is IPsec – or Internet Protocol Security.
VPNs are sometimes referred to as tunnelling technologies, because they provide a secure network which ‘tunnels’ through a less secure network.
There are three typical uses of a VPN:
· The first use is as an intranet within an organization, shown as the VPN pipe between Site 1 and Site 2 passing over the network. This network could be a public network, like the internet, or another network where the data needs to be isolated from other traffic.
A VPN concentrator is shown at the two endpoints of the VPN. The VPN protocol, for example IPsec, is used to secure the traffic between the two concentrators, with the usual TCP/IP protocols being carried over the VPN. With IPsec the VPN link is encrypted and the two concentrators are authenticated to each other.
Each concentrator is either manually or automatically supplied with encryption keys using a key management solution.
On the other side of the concentrators, standard TCP/IP protocols are used. The VPN concentrators could be supplied by the organization, perhaps as part of the DMZ infrastructure, or through an ISP as part of a managed service.
· The second use is remote access by an employee. In these situations, the employee’s PC generally implements the VPN protocol. In this case, the user supplies credentials to access the VPN which then forms the basis of the encryption key used to protect the VPN circuit.
· The third use is as an extranet outside an organization to a third-party. The diagram shows the third-party communicating with the organization using a VPN, which then forms an extranet. An extranet is part of an organization’s network made available to trusted third parties. The organization controls what services the third party can access using firewalls or routers. It differs from the DMZ which is open to the public.
Another common technology that provides a secure network is Transport Layer Security or TLS. TLS originated from Netscape who needed to secure connections between a user’s web browser and a webserver. It was originally known as Secure Sockets Layer or SSL.
TLS behaves slightly differently to a VPN.
VPNs operate at the network layer, carrying TCP traffic on top of the secure VPN…
…whereas TLS carries application traffic, like HTTP or email. As a result, TLS operates between two defined endpoints.
VPNs can operate in a multisite mode, whereas TLS can’t.
If a web browser connects to a web server using TLS, it creates a single point-to-point TLS session. The nature of this connection defines the encryption and authentication mechanisms between the endpoints.
The mechanism for establishing connection also negotiates the cryptographic algorithms used by the endpoints, so weak algorithms should not be selected in the set-up phase.
So far, we’ve seen a variety of network security solutions – now we’re going to look at how end users or systems are securely authenticated.
After logging into a PC at work, access is provided to several network services like file servers, email and the intranet.
The goal of many enterprises is to achieve Single Sign-On, or SSO, where a user logs in once and their identity is authenticated automatically to allow access to all business applications.
The most common SSO technology is Kerberos, which is used by Microsoft’s Active Directory. Other types include Radius and TACACS+.
When a user logs into an Active Directory based computer system, they’re normally leveraging an underlying Kerberos infrastructure. When they access a resource, like a file share on the network, Kerberos determines whether they’re allowed in.
For most SSO technologies, a username and password are required. However, optional security extensions can be added to make use of smartcards or tokens.
Now, let’s look at network authentication for wireless LANs, or WLANs.
In most corporate networking environments, wireless access points are configured securely using WPA2 (Wi-Fi Protected Access 2). When a user connects to a wireless access point, they need to be authenticated. On a home network, their PC will be configured with a password that matches one on the access point; at work, their credentials will be passed to an authentication server, typically a Radius server.
In either case, the user connects to an access point based on the Service Set Identifier or SSID. This is effectively the name of the WLAN that’s being advertised by the access point, although some access points can have more than one advertised SSID.
A common threat that mobile workers face when they use the internet to gain access to the corporate network is that of an open access point. Coffee shops, hotels and other public areas offer free Wi-Fi to anyone who accepts the terms and conditions. Hackers have been known to set up rogue open access points which, if connected to, will result in an attack.
Advanced methods allow the attacker to launch man-in-the-middle attacks that can break even a secure TLS session.
This slide shows two hot spots being advertised to this computer system with similar SSIDs. Can you spot the bogus one?
The point is, you can’t tell the difference if the SSIDs are the same, without other security measures being in place.
In a work environment, a certificate on the authentication server can be used to protect users from connecting to the wrong WLAN.
An organization might want to open a section of their network to third party partners or suppliers without giving them full access to the system.
However, this isn’t always as easy as providing a web portal, since many line-of-business applications require other protocols that are normally blocked by a DMZ. In this case, potential connection methods that an organization can use to connect third parties include:
· An extranet providing a network on the periphery of the enterprise network, although this is less trusted than an internal network. The organization might, for example, host one or more web servers in the extranet network that partners can access for ordering goods.
· Through web services. These provide the means for applications to communicate with each other, either over the internet or within an intranet.
· Through Electronic Data Interchange, or EDI, a protocol for exchanging business documents such as purchase orders and invoices. However, this is being phased out to make way for more modern web services technologies.
If third party traffic is routed through the corporate DMZ, the following security controls should be considered:
· Authentication, to ensure the organization knows who’s accessing their resources;
· VPN concentrators hosted in the DMZ; and
· Host boundary controls to perform anti-virus and intrusion prevention functions.
It’s also worth considering dedicated extranet web servers hosted in the DMZ rather than having third party connections into the internal network.
Network management comprises the systems, tools and processes needed to provision, operate, administer and maintain networks.
Good network governance is important for the organization to maintain their security posture; poor governance could lead to incorrect configuration of a firewall or filtering rules in a router which could expose the organization to significant risk.
The whole organization depends on network integrity, so it needs to be resilient and provide the ability to respond to different business continuity demands.
As networks can be extremely complex and connect many data centres, buildings and sites, a network management centre should be established to monitor the network. This is usually a 24-7 operation and works in conjunction with a Security Operations Centre.
The Security Operations Centre will:
· Monitor the status of the network, looking for outages and problems;
· Observe configuration changes which could indicate an attacker trying to reconfigure network devices;
· Maintain a baseline of configurations installed on network devices; and
· Hold documentation on the network architecture and topology, including configuration information.
The governance structure provides a reporting line to senior management which illustrates how effective the controls are in providing policy support.
Recommendations contained in the ISO/IEC 27000 series of standards, as well as ITIL and ISO 9001, should be followed when developing the governance structure, and associated processes and procedures. This includes the Plan-Do-Check-Act model.
That’s the end of this video on networks and communications.
About the Author
Fred is a trainer and consultant specializing in cyber security. His educational background is in physics, having a BSc and a couple of master’s degrees, one in astrophysics and the other in nuclear and particle physics. However, most of his professional life has been spent in IT, covering a broad range of activities including system management, programming (originally in C but more recently Python, Ruby et al), database design and management as well as networking. From networking it was a natural progression to IT security and cyber security more generally. As well as having many professional credentials reflecting the breadth of his experience (including CASP, CISM and CCISO), he is a Certified Ethical Hacker and a GCHQ Certified Trainer for a number of cybersecurity courses, including CISMP, CISSP and GDPR Practitioner.