Secure Network Components
Network equipment must be securely operated and maintained. In this part of this tutorial, we’ll take a look at secure networks to help you understand the different aspects of secure network components.
You as a CISSP candidate need to understand security fundamentals and concepts specifically related to different types of network equipment in general.
Components of the network are often critical for day-to-day operations, and an outage or security issue can cause loss of millions of dollars in business.
Networks are typically segmented or subdivided into smaller organizational units. These smaller units, groups, or subnetworks can be used to improve various aspects of the network:
Providing Security Network segmentation can improve security by isolating traffic and user access to those segments where they are authorized.
While designing a secure network, you must evaluate numerous networking devices.
- Modems: They are a type of Channel Service Unit/Data Service Unit (CSU/DSU) typically used for converting analog signals into digital. Modems typically operate on Layer 2 of the OSI model.
- Routers: These devices perform routing operations for packets and also enable the communication of devices that are located in different subnets of network IP addresses. Routers operate on Layer 3 of the OSI model.
- Switches: Switches help provide internal connectivity, as well as create separate broadcast domains when configured with VLANs. There are many different types of switches. Some of them work in layer two of the OSI model and others in layer three of the above model. But in principle, the switch is mostly known as a second layer device.
- Access points: These devices are the main component for implementing a wireless network. Without these devices, a wireless network cannot be implemented. There is a wide variety of access points.
Transmission media is defined at the Physical Layer of the OSI model, and also Wireless transmission media is defined at the Data Link Layer. In this section, transmission through a wired medium such as Coaxial, Ethernet, and Fiber will be discussed.
Coaxial: It is typically used with cable modem installations to provide connectivity to an Internet Service Provider (ISP), and requires a modem to convert the analog signals to digital.
Ethernet: They are common cables for LANs. (For example, for connecting a computer to a network. Ethernet cables are in variety categories (cat3, cat5, cat 5e, cat 6 and so on) and also variety models (like UTP, STP, FTP, and SFTP). Read more.
Fiber: Fiber-optic cable contains a type of glass that carries light waves, which represent the data being transmitted. Because it uses glass, fiber optic cabling has higher transmission speeds that allow signals to travel over longer distances. Also, fiber-optic cabling is much more secure than UTP, STP, or coaxial.
Fiber typically comes in two options, single-mode or multi-mode.
Single-mode is typically used for long-distance communication, over several kilometers or miles.
Multi-mode fiber is typically used for faster transmission, but with a distance limit depending on the desired speed.
Network Access Control (NAC) is a concept of controlling access to an environment through Apply a series of restrictions and rules. The goals of Network Access Control are as follows:
- Prevent zero-day attacks
- Enforce security policy throughout the network
- Use identities to provide access control
There are a variety of devices that provide this type of protection, including the following:
A firewall controls traffic flow between a trusted network (such as a home/corporate LAN) and an untrusted or public network (such as the Internet). A firewall can comprise hardware, software, or a combination of both hardware and software. There are three basic classifications of firewalls:
- Packet-filtering: One of the most basic types of firewalls. A packet-filtering firewall typically operates at the Network Layer or Transport Layer of the OSI model. This firewall permits or denies traffic based solely on the TCP, UDP, ICMP, and IP headers of the individual packets. It examines the traffic direction (inbound or outbound), the source and destination IP addresses, and the source and destination TCP or UDP port numbers. This information is compared with predefined rules that have been configured in an access control list (ACL) to determine whether each packet should be permitted or denied. This firewall allows outbound ICMP echo requests and inbound ICMP echo replies.
- Circuit-level gateway: A circuit-level gateway controls access by maintaining state information about established connections. This type of firewall operates at the Session Layer of the OSI model. When a permitted connection is established between two hosts, a tunnel is created for the session, allowing packets to flow freely between the two hosts.
- Application-level gateway: This type of firewall is considered the most secure and is commonly implemented as a proxy server. In a proxy server, no direct communication between two hosts is permitted. But data packets are intercepted by the proxy server and if permitted by the firewall rules, sends a copy of the original packet to the destination host. This firewall operates at the Application Layer of the OSI model.
These firewalls have a state table that allows the firewall to compare current packets to previous ones. Stateful firewalls are slower than packet filters but are far more secure.
These Firewalls that act as intermediary servers for both packet filter and stateful firewalls. Proxy firewall pass traffic through or denies it.
IDS and IPS
Intrusion detection is defined as real-time monitoring and analysis of network activity and data for potential vulnerabilities and attacks in progress.
IDSs are classified in many different ways, including:
- Active or Passive
- Network-based or Host-based
- Knowledge-based or Behavior-based
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are sometimes referred to as intrusion detection and prevention systems (IDPS).
An IDS is a software or hardware appliance Monitors traffic moving on networks for suspicious activity and known threats, sending up notifications when it finds such items.
Also, An IPS works to detect and prevent identified threats by scanning all network traffic. There are a number of different threats that an IPS is designed to prevent, including:
- Various types of exploits
- DoS and DDoS attacks
Security is only as strong as its weakest link. Weakest link usually is the endpoint (such as desktop and laptop computers, smartphones, tablets medical devices, barcode scanners, smart TVs and so on). Endpoints are particularly vulnerable to attack for Many reasons, including:
Number and variety: The sheer number and variety of endpoints on the network creates numerous opportunities for an attacker to exploit vulnerabilities in different operating systems and applications.
End users: Endpoints are operated by end users with varying computer skill levels and awareness of security and privacy issues. End users usually do not have security knowledge and are good victims for network attackers.
Privilege: In many organizations, end-user accounts have the role of “local administrator.” This means highest level of privilege on the system. Attackers love this level of privilege.
Prioritization: Endpoints are often treated as “lower value” assets on the network. For this reason, security efforts are typically focused on the data center and higher value assets, such as servers and databases.
So the things that are mentioned must be accepted Endpoint security can be the most difficult to manage and maintain. In fact, endpoint security is the most important part of securing a network.
The most common methods of protecting endpoints are as follows:
- Authentication operations
- Multifactor authentication
- Volume encryption
- VPN tunnels
- Network encryption
- Install anti-virus and anti-malware software
Beyond the traditional endpoint protection methods, there are others too that provide additional security:
- Application whitelisting: Only applications on the whitelist can run on the endpoint. This list must be specified by the network security manager.
- Restricting the use of removable media: This can minimize malicious files coming into the network from the outside.
- Automated patch management: Patch management is the most critical task for maintaining endpoints. Also, staying up to date on the latest versions can bring enhanced security.
Content-Distribution Networks (CDN)
CDN uses a series of distributed caching servers, to improve performance of downloaded online content. In these networks, users download content from the fastest and closest servers on the Internet. Microsoft Azure is Example of CDN.
CDNs are distributed networks of servers that cache web content (like static web pages, streaming music and video, and on-demand videos) and then serve that content to Internet users over the most optimal network path available.