Chapter 8: Protecting The Network
Chapter 8: Protecting The Network
Chapter 8: Protecting The Network
We use a variety of methods to protect our networks, devices, and data. This
chapter covers approaches to network security defense, access control methods,
and the various sources cybersecurity analysts rely on for threat intelligence.
Cybersecurity analysts must prepare for any type of attack. It is their job to
secure the assets of the organization’s network. To do this, cybersecurity analysts
must first identify:
Identify Assets
Identify Vulnerabilities
Edge router – The first line of defense is known as an edge router (R1 in
the figure). The edge router has a set of rules specifying which traffic it
allows or denies. It passes all connections that are intended for the internal
LAN to the firewall.
Firewall – A second line of defense is the firewall. The firewall is a
checkpoint device that performs additional filtering and tracks the state of
the connections. It denies the initiation of connections from the outside
(untrusted) networks to the inside (trusted) network while enabling internal
users to establish two-way connections to the untrusted networks. It can also
perform user authentication (authentication proxy) to grant external remote
users access to internal network resources.
Internal router – Another line of defense is the internal router (R2 in the
figure). It can apply final filtering rules on the traffic before it is forwarded
to its destination.
Routers and firewalls are not the only devices that are used in a defense-in-
depth approach. Other security devices include Intrusion Prevention Systems (IPS),
advanced malware protection (AMP), web and email content security systems,
identity services, network access controls and more.
Not every leaf needs to be removed in order to get at the heart of the
artichoke. The hacker chips away at the security armor along the perimeter to get
to the “heart” of the enterprise.
While Internet-facing systems are usually very well protected and boundary
protections are typically solid, persistent hackers, aided by a mix of skill and luck,
do eventually find a gap in that hard-core exterior through which they can enter
and go where they please.
Security Onion
Security Artichoke
Business Policies
Company policies - These policies establish the rules of conduct and the
responsibilities of both employees and employers. Policies protect the rights
of workers as well as the business interests of employers. Depending on the
needs of the organization, various policies and procedures establish rules
regarding employee conduct, attendance, dress code, privacy and other areas
related to the terms and conditions of employment.
Employee policies - These policies are created and maintained by human
resources staff to identify employee salary, pay schedule, employee benefits,
work schedule, vacations, and more. They are often provided to new
employees to review and sign.
Security policies - These policies identify a set of security objectives for a
company, define the rules of behavior for users and administrators, and
specify system requirements. These objectives, rules, and requirements
collectively ensure the security of a network and the computer systems in an
organization. Much like a continuity plan, a security policy is a constantly
evolving document based on changes in the threat landscape, vulnerabilities,
and business and employee requirements.
Security Policy
Security Policy:
2) Password Policies.
BYOD Policies
Many organizations must now also support Bring Your Own Device
(BYOD). This enables employees to use their own mobile devices to access
company systems, software, networks, or information. BYOD provides several key
benefits to enterprises, including increased productivity, reduced IT and operating
costs, better mobility for employees, and greater appeal when it comes to hiring
and retaining employees.
The following BYOD security best practices help mitigate BYOD risks:
Password protect access – Use unique passwords for each device and
account.
Manually control wireless connectivity – Turn off Wi-Fi and Bluetooth
connectivity when not in use. Connect only to trusted networks.
Keep updated – Always keep the device OS and other software updated.
Updated software often contains security patches to mitigate against the
latest threats or exploits.
Back up data – Enable backup of the device in case it is lost or stolen.
Enable “Find my Device” – Subscribe to a device locator service with
remote wipe feature.
Provide antivirus software – Provide antivirus software for approved
BYOD devices.
Use Mobile Device Management (MDM) software – MDM software
enables IT teams to implement security settings and software configurations
on all devices that connect to company networks.
Mandatory access control (MAC) – Applies the strictest access control and
is typically used in military or mission critical applications. It assigns
security level labels to information and enables users with access based on
their security level clearance.
Discretionary access control (DAC) – It allows users to control access to
their data as owners of that data. DAC may use ACLs or other methods to
specify which users or groups of users have access to the information.
Non-Discretionary access control - Access decisions are based on an
individual's roles and responsibilities within the organization, also known as
role-based access control (RBAC).
Attribute-based access control (ABAC) - Allows access based on
attributes of the object (resource) be to accessed, the subject (user) accessing
the resource, and environmental factors regarding how the object is to be
accessed, such as time of day.
AAA Operation
This concept is similar to the use of a credit card, as indicated by the figure.
The credit card identifies who can use it, how much that user can spend, and keeps
account of what items the user spent money on.
Devices communicate with the centralized AAA server using either the
Remote Authentication Dial-In User Service (RADIUS) or Terminal Access
Controller Access Control System (TACACS+) protocols.
RADIUS uses UDP ports 1812 and 1813, or 1645 and 1646.
RADIUS combines authentication and authorization.
RADIUS encrypts only the password in the access-request packet from the
client to the server. The remainder of the packet is unencrypted, leaving the
username, authorized services, and accounting unprotected.
AAA Accounting collects and reports usage data in AAA logs. These logs
are useful for security auditing. The collected data might include the start and stop
connection times, executed commands, number of packets, and number of bytes.
AAA Accounting
1. When a user has been authenticated, the AAA accounting process generates
a start message to begin the accounting process.
2. When the user finishes, a stop message is recorded and the accounting
process ends.
Records what the user does, including what is accessed, the amount of time the
resource is accessed, and any changes that were made. (Accounting)
Uses a created set of attributes that describes the user’s access to the network.
(Authorization)
Collects and reports usage data so that it can be employed for purposes such as
auditing or billing. (Accounting)
Users and administrators must prove that they are who they say they are.
(Authentication)
Which resources the user can access and which operations the user is allowed to
perform. (Authorization)
Note: Network security has a very steep learning curve and requires a
commitment to continuous professional development.
Cert
SANS
SysAdmin, Audit, Network, Security (SANS) Institute resources are largely free
upon request and include the popular Internet Storm Center, the Internet’s early
warning system; NewsBites, the weekly news digest; @RISK, the weekly
vulnerability digest; flash security alerts; and more than 1,200 award-winning,
original research papers. SANS also develops security courses.
MITRE
FIRST
INFOSYSSEC
ISC2
MS-ISAC
The MS-ISAC is the focal point for cyber threat prevention, response and recovery
for the nation’s state, local, tribal, and territorial (SLTT) governments. The MS-
ISAC 24x7 cyber security operations center provides real-time network
monitoring, early cyber threat warnings and advisories, vulnerability identification
and mitigation and incident response.
Click here to download the latest and past Cisco Cybersecurity Reports.
Another method for keeping up-to-date on the latest threats is to read blogs
and listen to podcasts. Blogs and podcasts also provide advice, research, and
recommended mitigation techniques.
There are several security blogs and podcasts available that a cybersecurity
analyst should follow to learn about the latest threats, vulnerabilities, and exploits.
Click here to read more about Talos security blog and podcast.
Cisco Talos
Threat intelligence services allow the exchange of threat information such as
vulnerabilities, indicators of compromise (IOC), and mitigation techniques. This
information is not only shared with personnel, but also with security systems. As
threats emerge, threat intelligence services create and distribute firewall rules and
IOCs to the devices that have subscribed to the service.
One such service is the Cisco Talos group. Talos is a world leading threat
intelligence team with a goal to help protect enterprise users, data, and
infrastructure from active adversaries. The Talos team collects information about
active, existing, and emerging threats. Talos then provides comprehensive
protection against these attacks and malware to its subscribers.
Cisco Security products can use Talos threat intelligence in real time to
provide fast and effective security solutions.
Cisco Talos also provides free software, services, resources, and data.
Click here to learn more about Cisco Talos and emerging security threats
and vulnerabilities.
FireEye
The FireEye Malware Protection System blocks attacks across web and
email threat vectors, and latent malware that resides on file shares. It can block
advanced malware that easily bypasses traditional signature-based defenses and
compromises the majority of enterprise networks. It addresses all stages of an
attack lifecycle with a signature-less engine utilizing stateful attack analysis to
detect zero-day threats.
Click here to learn more about FireEye and view the security intelligence
resources it offers.
The MITRE Corporation defines unique CVE Identifiers for publicly known
information-security vulnerabilities to make it easier to share data.
These open standards provide the specifications that aid in the automated
exchange of cyber threat intelligence information in a standardized format.