Tele and Crypto
DrunkenCheetha
Chap5.pdf
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 1/31
Chapter 5. Network Security Implementation IMPLEMENTATION is the act of designing, installing, deploying, and configuring network security. This chapter focuses on the foundations of network security essential to every organization, from an individual com- puter at home to a multinational corporation's network. The foundations of security apply universally no matter the size, purpose, or function of computers and networking.
The foundations of network security include layered defenses, proper use of protocols, communication management, system hardening, and more. Based on some common, often simple, principles, you can significantly improve your organization's computer systems. Following the suggestions in this chapter will reduce the risk of system compromise from accident, oversight, Mother Nature, or malicious intent.
Chapter 5 Topics
This chapter will cover the following topics and concepts:
What the seven domains of a typical IT infrastructure are
What network design and "defense-in-depth" is
What protocols and topologies are
What common types of addressing are
How to control communication pathways
How to harden systems
Which method to use for selecting equipment
What authentication, authorization, and accounting are
What communication encryption is
P R E V TWO. Technical Overview of Network Security, Firewalls, and VPNs
⏮ N E X T
6. Network Security Management ⏭
🔎
Network Security, Firewalls, and VPNs
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 2/31
What the best architecture is: local hosts only or re- mote and mobile hosts
What redundancy is
What node security is
Chapter 5 Goals
Upon completion of this chapter, you will be able to:
Describe elements of network security design.
Compare and contrast public and private addressing as well as static and dynamic addressing.
State the importance of system hardening.
Describe why authentication, authorization, account- ing, and encryption are essential for network security.
Identify the security concerns of local hosts as well as remote and mobile hosts.
Define the elements of node security.
Seven Domains of a Typical IT Infrastructure Seven domains are commonly found in the typical IT infrastructure (Fig- ure 5-1) of moderate- to large-sized organizations. These seven domains were introduced in the first chapter, but in the context of network security implementation, they require more detail and focus.
Hackers look for every opportunity to exploit a target. No aspect of an IT infrastructure is without risk or immune to the scrutiny of hackers. When designing and implementing network security, you need to analyze every one of the seven domains of a typical IT infrastructure for potential vul- nerabilities and weaknesses. Security measures must be detailed, focused, and exhaustive. You must consider every possible avenue of attack, assess risk, and if the risk is sufficient, apply a countermeasure. Failing to do so will leave an open pathway for a hacker. A hacker only needs one crack in your defenses to begin chipping away at the security of the entire network.
Each of the seven domains of a typical IT infrastructure has unique as- pects that need security improvements. Later chapters will expand on these topics, but a quick list of important foundational network security issues related to these seven domains is pertinent here:
User Domain—This domain refers to the actual user whether they be employees, consultants, contractors, or other third parties. Any user who accesses and uses the organization's IT infrastructure should review and sign an acceptable use policy (AUP) prior to be- ing granted access to the organization's IT resources and in- frastructure. This domain should also be the focus of training, strong authentication, granular authorization, and detailed ac- counting. Additionally, many of the protections added to other do- mains provide additional protections for and against the user do- main.
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 3/31
Figure 5-1. The seven domains of a typical IT infrastructure.
Workstation Domain—This domain refers to the end user's desktop devices such as a desktop computer, laptop, VoIP tele- phone, or other end-point device. Workstation devices typically re- quire security countermeasures such as antivirus, anti-spyware, and vulnerability software patch management to maintain the integrity of the device. System hardening, communication protection, and positioning of work stations are critical to security.
Local Area Network (LAN) Domain—This domain refers to the physical and logical local area network technologies used to support workstation connectivity to the organization's network in- frastructure. Protocols, addressing, topology, and communication encryption provide security for this domain.
LAN-to-Wide Area Network (WAN) Domain—This domain refers to the organization's internetworking and inter-connectivity point between the LAN and the WAN network infrastructures. Switches, routers, firewalls, proxies, and communication encryption are important aspects of security for this domain.
Remote Access Domain—This domain refers to the authorized and authenticated remote access procedures for users to remotely access the organization's IT infrastructure, systems, and data. Re- mote access solutions typically involve SSL 128-bit encrypted re- mote browser access or encrypted VPN tunnels for secure remote communications. Knowing where a host is located helps determine the types of security necessary on that host.
WAN Domain—Organizations with remote locations require a wide area network to interconnect them. Protocol selection, ad- dressing schemes, and communication encryption are elements of securing this domain.
Systems/Applications Domain—This domain refers to the hardware, operating system software, database software, client- server applications, and data that are typically housed in the organi- zation's data center and/or computer rooms. Network design, au- thentication, authorization, accounting, and node security are im- portant security concerns for this domain.
Network administrators need to recognize that the potential for compro- mise exists throughout an organization. This recognition leads the need for adequate network security throughout an organization. Starting from the knowledge that risk exists and threats loom, network security admin- istrators can design and implement appropriate countermeasures and safeguards.
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 4/31
Network Design and Defense-in-Depth Every network is different. However, common security principles apply to every network, regardless of its unique elements. One of these common principles is secure network design. Secure network design embeds core protections and improvements into an IT infrastructure before it is imple- mented. Design comes from planning. Planning comes from sufficient knowledge and understanding.
Common security goals include confidentiality, integrity, availability, pri- vacy, authentication, authorization, non-repudiation, and accounting. To efficiently accomplish these goals, informed planning assists you in de- signing the network before deployment.
An underlying fundamental of network security design is that no security solution is perfect. Any single security protection, countermeasure, and safeguard is insufficient. Hackers will use some method, technique, or ex- ploit to bypass, evade, or render useless a security protection. The poten- tial concerns include placement, programming flaws, default settings, maximum values, processing capabilities, memory capacity, backdoors, malicious code, social engineering, and physical attacks. This list is not exhaustive, but represents the key issues. In theory, no security solutions are sufficient and complete.
Thus, you need to use multiple security components. This is known as de- fense-in-depth or multiple layers of defense (Figure 5-2). By following a defense-in-depth design concept, numerous safeguards will protect each asset. As one defense tool interlocks with another, they overlap and im- prove the overall security. The strengths and benefits of one countermea- sure supplement or compensate for the weaknesses and limitations of another.
Figure 5-2. An example of defense-in-depth around an asset.
Defense-in-depth leads many security professionals to two additional guidelines: 1) avoid single points of failure; and 2) divide and conquer. A single point of failure is any element, component, or aspect of a system that could lead to failure or compromise of the entire system. Divide and conquer is the process of separating a large project into multiple, smaller, and manageable pieces.
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 5/31
Avoiding single point of failure must take place on multiple fronts. A hacker only needs a single flaw or weakness to exploit a target. Efforts should focus on finding and eliminating as many vulnerabilities as possi- ble to remove the single points hackers seek to exploit.
Good design filters every user interaction with an asset multiple times. This filtering should include authentication, authorization, content filter- ing, and context filtering. Only relying upon a single filter or check system is a form of a single point of failure. Always assume that any one service or function is flawed or will fail.
Effective network design monitors and examines all activities against an asset using multiple techniques. This could include object auditing, server monitoring, client monitoring, network monitoring, and so on. Only using a single monitoring viewpoint could be a single point of failure. Everyone has seen video footage from a single perspective that guides the viewer into seeing or believing one thing, but from another camera angle the truth, the trick, or an alternate explanation becomes clear.
Divide and conquer is not just a tactic for waging actual war; it is also a tactic in the war against network security breaches. By dividing up a larg- er project or task into manageable components, you can focus on and care for each component to ensure accuracy and completeness in addressing network security concerns. Attempting to tackle the security of a network as a whole is often a recipe for disaster. Evaluating the big picture is al- ways a good idea, but working exclusively on the whole may lead to over- looking details or missing subtle nuances only perceived upon close de- tailed inspection.
A layered security approach throughout the IT infrastructure works best: slow, methodical, compartmentalized, and thorough. Properly designed network security should support timely delivery of information and ade- quate response of transactions. A properly secured network provides reli- able and stable communications. Well-designed security adapts to chang- ing conditions. Well-designed security anticipates future growth and ex- pansion.
Designing network security is neither a simple nor short-term task. Thor- ough network security design must include adequate research, thorough planning, and extensive modeling and testing. The process of security design must evaluate a wide range of technologies performing an as- tounding number of functions.
Ultimately, good network security design produces a blueprint to guide the construction of a securely functioning network infrastructure. The blueprint is the foundation for your organization's security policy. Most network designs have limitations. These limitations include budget, inter- nal politics, regulations, standards, and industry practices. Network de- sign should focus on providing the best security possible within pre- scribed budgetary boundaries.
One method to reduce compromise by hackers is to keep them from find- ing your network as a target. By staying offline and only using trusted communication pathways, your organization can avoid significant level of risk. However, this form of technological hide and seek is not perfect nor does it eliminate all issues. External hackers might not be able to hack a non-Internet-connected intranet from the outside; however the risk from disgruntled employees and other internal users is still present.
The idea of hiding from danger is commonly known as security through obscurity. While it's true that if you are not found then you cannot be attacked, the issue is often a false hope if obscurity rather than actual countermeasures and safeguards protect the network. Being ob- scure or difficult to locate may be a good thing, but it's not itself a form of
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 6/31
reliable security. Use only direct and real security defenses when you are designing network security.
Security is essential to the long-term survival of any modern organization. Without security, logical, physical, and social breaches would render most companies vulnerable to failure. But security cannot work without bal- ance. You can over-secure an infrastructure to the point where security interferes with work tasks. Usability and security must be in balance. Us- ability will not survive long without security, and too much security can cripple usability. Good network security design balances security and us- ability.
One goal of most organizations is to expand and grow. They often seek to attract new customers, support more clients, sell more products, offer more services, make more money, and so forth. But growth can be a two- edged sword. While growth can lead to a more reliable and assured future, it can also cause growing pains. For any organization, growing pains occur when the existing infrastructure, facilities, and even personnel are pushed to the limit or beyond to support the additional workload caused by growth.
Growth can be expected, unexpected, gradual, or abrupt. A proper net- work design process evaluates and predicts potential growth scenarios and plans contingencies for each. One contingency for growth is to build additional capacity into the current infrastructure. If slow growth is ex- pected, then 20 percent additional capacity may be sufficient, while rapid growth may consume 50 percent additional capacity in a short time (Fig- ure 5-3).
Growing too fast is as much of a burden as shrinking. By stretching be- yond an organization's capacity to support, sell, create, maintain, re- spond, produce, and so forth, small problems quickly snowball into avalanches. Steady, controlled, limited growth is often a method to ensure long-term viability and stability. This is true in general business manage- ment and it's true in network security design.
During the network design phase, consider the scalability of all technolo- gies you select for deployment. Does a component or system have a maxi- mum value or limitation it will quickly reach? Can the component or sys- tem expand without compromising efficiency, cost effectiveness, and se- curity? Will the component or system need replacement by a scalable so- lution once moderate growth occurs? If so, why not use the scalable solu- tion now? Planning for growth will reduce problems associated with out- growing function and security capacity.
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 7/31
Figure 5-3. Rate of growth used to predict needed addition- al capacity.
No security endeavor will succeed without the active involvement of se- nior management. In fact, without their explicit approval and support, any security effort is likely doomed to fail. Senior management has the re- sponsibility to dictate the strategic goals and plans of the organizations and, hence, its IT infrastructure and integrated security. Senior manage- ment must approve budgetary funding, encourage compliance, and sup- port security, even when problems occur.
Throughout the entire design and implementation process for network se- curity, senior management monitors and approves progress reports. Se- nior management steers the organization and its security planning through the changing business environment. But secure network design isn't only about following the leader; it's also about integrating every em- ployee into the overall security design process. Security is the responsibili- ty of everyone in the organization, not just managers and executives.
The elements of secure network design touch on every aspect of an IT in- frastructure. This includes hosts, nodes, communications, encryption, lo- cal and remote systems, redundancy, and more. Often, the process of designing security starts by focusing a central or core element found throughout the infrastructure. Examples of distributed core components are networking protocols and topologies.
Protocols and Topologies A significant portion of network security is about making the right tech- nology choices without falling into easy traps or defaults. One common trap is to continue doing the same thing or using the same product. You need to re-evaluate old technologies and existing solutions on a regular basis. Most organizations choose to perform a security design evaluation annually. When performing a security evaluation, re-think every aspect of the infrastructure, including network protocols and topologies.
Most networks use Transmission Control Protocol/Internet Protocol (TCP/IP) as their primary network protocol. Specifically, most networks in 2010 still use IPv4 as opposed to IPv6. Using IPv4 is not an open invi- tation for hackers, but it does have numerous commonly exploited weak- nesses and concerns. IPv4 typically defaults to a plaintext form of trans- mission, while IPv6 can be set by default to encrypt transmissions. IPv4
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 8/31
can be encrypted using IP Security (IPSec) or other virtual private net- work (VPN) protocols.
Other issues to consider include:
Is the current protocol easy to compromise?
Are there numerous exploits for this protocol available for novice hackers?
Can encryption be applied?
Is the process of adding encryption complex or costly?
Will encryption interfere with other technologies? (such as IPSec and network address translation [NAT])
Is there an alternative or replacement available?
Is the alternative backwards compatible?
Is the alternative supported by all current hosts and nodes?
This is only a partial and not exhaustive list of questions you need to con- sider when assessing the currently deployed networking protocol for pos- sible replacement. The point is to give serious consideration to this issue on a regular basis. Most of the elements of a network's security are based on the protocol in use. If the protocol has changed or improved, this could cause sweeping changes throughout the production environment, most important in the security of that environment.
As a general rule of thumb, if most hosts and software are less than five years old, then upgrading to IPv6 is likely possible with minimal compli- cation. However, if IPv4 with IPSec or other forms of encryption are func- tioning well within performance and security parameters, there's no strong need to upgrade to IPv6.
When you consider a protocol upgrade, you'll need to thoroughly research and test every aspect of the production and security environment to con- firm compatibility with IPv6. Any transition is going to have some hur- dles, and certainly switching the main network protocol is a candidate for major hurdles. Perform the rollout of a protocol change in stages, only af- ter piloting in a lab and consider running dual protocols for a transition period.
TCP/IP, or at least IP itself, is not the only protocol in use on most net- works. Every single protocol across every theoretical layer of the OSI model network protocol stack needs re-evaluation on a regular basis. Do you still want to continue using Simple Mail Transfer Protocol (SMTP) and Post Office Protocol (POP)? What about File Transfer Protocol (FTP), Network News Transfer Protocol (NNTP), and telnet?
If a protocol operates in plaintext, consider using a protocol with native encryption or investigate the possibility of encapsulating it inside an en- crypting tunneling protocol, such as IPSec or SSL/TLS.
Are AppleTalk, Internetwork Packet Exchange/Sequenced Pack- et Exchange (IPX/SPX), Systems Network Architecture (SNA), NetBios Extended User Interface (NetBEUI), or other protocols still present on the network? Are they still necessary? Have the older sys- tems requiring them been replaced or removed? Can newer secure alter- natives replace these older and insecure protocols? Can any system still using a legacy protocol be replaced to gain host security and remove the protocol?
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 9/31
Don't let tradition, personal bias, or sunk cost get in the way of making a smart security design decision. Just because something has always been done a certain way doesn't mean it should continue that way, especially if the old way was insecure. Personal bias in terms of likes, dislikes, comfort, and familiarity are not good business reasons to avoid moving on to more secure solutions.
Sunk cost is the money or investment already made in the past, as op- posed to prospective costs that are investments likely in the future. Often those managers overly concerned with wasting resources already invested will make poor decisions. Avoiding loss is a good principle of business, but just because you have already spent some money, time, and effort does not mean you should continue on a set path. Often, throwing good money after bad is compounding the loss due to sunk cost. If the future benefit of an existing system, solution, or product is not assured, then no amount of sunk cost justifies its continued use. In most cases, you should only analyze future costs and benefits in making a decision. Already in- curred expense (sunk cost) should influence future choices.
Figure 5-4. Seven basic network topologies.
In addition to reevaluating protocol choices, you should reconsider your network's topology, as well. A network's topology is the physical inter- connections between hosts and nodes. Several common or foundational topologies (Figure 5-4) are:
Ring topology
Bus topology
Star topology
Line topology
Tree topology
Full Mesh topology
Partial Mesh topology
technical TIPtechnical TIP
Ring topology is a network design where host segments are attached to a central cable ring. Bus topology is a network design based on a single backbone cable to which all host segments connect. Ethernet is logically a bus topology-based technology, although it can operate in numerous other physi- cal topologies. Star topology is a network design in which
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 10/31
host segments radiate from a central node. Line topology is a network design in which hosts are connected end-to-end, each system being connected to no more than two others. Tree topology is a network design that organizes hosts into a hierarchy. Each host is connected upstream to a single par- ent, but can be connected downstream to none, one, or many hosts. Full Mesh topology is a network design that estab- lishes all possible connections between hosts. A full mesh topology is the most fault tolerant topology possible, but is also the least resistant to propagation of malware. Partial Mesh topology is a mesh network design that establishes many but not all possible host-to-host links. This is not as fault tolerant as a full-mesh topology.
While some network topologies are designed before deployment, others grow organically as growth occurs. In either case, periodically re-assess your network's topology as well as every other aspect of your IT infrastructure.
On face value, a network topology seems like little more than a physical cabling solution. But, when you realize that a cable is a communication conduit for electronic transmissions, the security concerns become more apparent. The main concern is traffic management. A network adminis- trator should know the pathways that mission-critical data traverse. You need to secure these pathways in relation to the value of the data traveling over them.
When dealing with cabling layouts and topologies, you must also be con- cerned with single points of failure. A single cable is just one fault away from a lost connection. While multiple links to every client may not be es- sential, it's reasonable to have two or more connections between every server and mandatory to have multiple connections to every essential ser- vice host (such as authentication, domain resolution, security assessment, and backup).
Designed topologies are more likely to provide long term security and per- formance benefits, but even the best planning cannot predict all possible occurrences in reality. Changes may occur that are outside the scope of the original plan, or maybe growth comes faster or more chaotically than expected. Organically produced topologies are nearly guaranteed to have flaws in terms of a lack of redundancy or poor traffic management.
A secure network design includes a topology appropriate for the organiza- tion, its communications, and the value of its resources. Short or direct pathways should exist between servers that commonly interact. Depart- ments that do not share resources should use network paths that have lit- tle intersection. Position clients with a minimum number of segments away from the resource servers most appropriate for getting work done.
Topology is both a logical and a physical concern. Physical topology concerns include the amount of cabling consumed and the actual physical pathway through the building a cable takes. Secure physical topologies minimize access or exposure of cabling to outsiders, unauthorized person- nel, or those with limited or lower access.
Logical topology concerns include networking technologies (such as Ethernet), signal propagation, latency, and addressing. Ethernet is a log- ical bus topology-based technology deployed over a wide range of non-bus physical topologies, such as star, mesh, and tree.
Each time a communication signal crosses a node or host, some amount of delay occurs between reception on one interface and transmission on another interface. The accumulation of this delay is called latency. Too much latency between end-points or within a round-trip, two-way com-
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 11/31
munication can result in communication failures. Too many segments crossed by a signal, especially with sub-grade nodes, can result in unac- ceptable latency.
Logical topology also affects addressing. When IPv4 is in use, you need to manage subnets. A subnet is a logical collect of hosts, typically within a limited physical distance. Often a subnet consists of hosts interconnected through a hub or switch. Subnetting controls traffic. Communication be- tween hosts within the same subnet is unhindered, but a router handles communications between hosts in different subnets. A router will make decisions on whether or not to route traffic and which pathway to use when traffic is forwarded. A router can perform basic filtering functions (As discussed previously, routers are the predecessors of firewalls).
Certain topologies encourage or discourage the use of routers, switches, hubs, repeaters, bridges, and other networking nodes and devices. Some of these devices impose subnetting restrictions or requirements. Thus, when selecting a topology, consider the implications on the desired ad- dressing scheme, as well.
Most networks employ layered, mixed, or hybrid topologies. Mixing and matching the basic topologies into larger, more complex topologies is not necessarily a straightforward endeavor. You need to thoroughly investi- gate and analyze network and system requirements to ensure that your communication, production, and security needs are supported by the de- ployed topologies.
Common Types of Addressing Addressing is the assignment of a logical numbering system to the hosts on a network for the purposes of efficient traffic routing. Addressing is more than just a system imposed by a network topology; it's often a means to control traffic. Traffic managing through routing and traffic fil- tering are possible through the use of logical addresses.
The most common protocol in use worldwide is TCP/IP and this network protocol dictates the most common addressing scheme. You learned in Chapter 1 that the addressing schemes of IPv4 and IPv6 are quite differ- ent. Some common elements, security concerns, and management tech- niques remain consistent, however.
Internal IP addresses can be public addresses, private addresses, or a mix- ture of both. A public address is an address issued by the IANA, moni- tored by RIRs, and leased directly through ISPs. The Internet Assigned Numbers Authority (IANA) (http://www.iana.org/) is the entity responsible for global coordination of IP addressing, DNS root, and other Internet protocol resources. A Regional Internet Registry (RIR) is one of five regional organizations that oversee and monitor the use and assignment of IP addresses (both IPv4 and IPv6). An ISP (Internet service provider) may randomly assign or semi-permanently lease an IP address to an individual or organization. Public addresses are those obtained from an ISP.
NOTENOTE In the past, it was possible to purchase or own IP addresses, specifically large groups or an entire class of addresses. However, this practice is mostly no longer possible, not be- cause ownership of IP addresses is prohibited, but because of the lack of available IP addresses to sell. Many of the origi- nal Class A and Class B subnet owners still own, control, and use their purchased address. Some of these are actually ISPs that now lease out sub-sets of their owned IP address
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 12/31
ranges. Today, most public IP addresses are leased rather than sold or owned.
A public address also implies that it communicates directly with resources on the Internet. The Internet itself only uses public addresses. Without a public address, it's impossible to communicate to or receive responses from an Internet-hosted resource.
Public addresses are assigned from Class A, B, and C ranges of the IPv4 address spectrum (as Class D and E are reserved for multicasting and ex- perimentation respectively). Public addresses for IPv6 are most of the 2^128 addresses, except for the fc00::/7 address block.
In Request for Comments (RFC) 4193, IANA set aside the fc00::/7 ad- dress block for use as private addresses for IPv6 similar to that of RFC 1918 for IPv4. Private IPv4 addresses herald from RFC 1918 that sets aside three class ranges for private use:
Class A—10.0.0.0-10.255.255.255/8 (1 Class A network)
Class B—172.16.0.0-172.31.255.255/12 (16 Class B networks)
Class C—192.168.0.0-192.168.255.255/16 (256 Class C networks)
A private address is used only within a private network. Individuals and organizations without approval or fee from an outside entity can use pri- vate addresses. However, using private addresses requires NAT services to communicate with Internet resources. All Internet routers automatically drop any packet with a private address in its header.
Private addresses serve as a basic isolation security measure as external entities with public addresses cannot directly communicate with internal privately addressed hosts. But a NAT server allows communication with Internet resources.
You should review your organization's choice to use private or public ad- dresses internally. The issue is not only about saving money. Private ad- dresses are free while public addresses are usually leased. Private address- es require translation, while public addresses do not. Private addresses are natively isolated from the Internet, while public addresses are not. It's even possible to mix private and public addresses on an intranet.
Another addressing concern is whether to employ static or dynamic ad- dressing. Static addressing pre-assigns a specific IP address to each host, while dynamic addressing hands out IP addresses to hosts from a pool. Dynamic addressing does not guarantee that a host will always have the same address assigned to it, unless a reservation is created for the host.
technical TIPtechnical TIP
A DHCP reservation is the pre-assignment of a specific IP address to a host by reserving it using the target host's MAC address. Reservations ensure that the same address is al- ways issued to a specific host. It can also simulate static ad- dressing, but retain centralized control of address assignment.
Static addressing typically requires that the IP address be configured on each individual host. This ensures that a host always uses the same IP ad- dress. However, if changes to the network configuration or topology arise,
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 13/31
manual changes to IP addresses on a host-by-host basis are a significant amount of additional administrative overhead.
Because of this, most organizations use dynamic assignment, typically us- ing a Dynamic Host Configuration Protocol (DHCP) system. If static ad- dressing is preferred, then DHCP reservations can simulate static ad- dressing while maintaining centralized control. With reservation based static addressing, changes can be made by editing the reservations on the DHCP server, without needing to manually adjust each host individually.
When addresses are assigned dynamically, it's possible for a rogue system to come online and receive a valid IP address just by asking. If addresses are assigned statically, then the attacker will need to discover a valid but unused IP address and manually configure his system to use it. Similarly, if DHCP reservations are used, the attacker will either manually statically assign his own address or spoof a Media Access Control (MAC) address to "borrow" an IP address from another offline system.
Address management is an important concern of network security. Anoth- er concern is the management of communication pathways.
Controlling Communication Pathways Controlling the flow of information is a key element of network security. This involves ensuring that data travels along pathways isolated, secured, and controlled, and not along pathways that are public, insecure, and un- controlled. Part of communication pathway control is about topology se- lection, but it's also about router configuration, encrypted protocols, phys- ical access management, and filtering.
Routers are the primary network devices administrators use to control the pathways that communications traverse. Failing to design router configu- ration and deployment with security in mind is a serious oversight. Routers make real-time determinations of the best available path to a des- tination. However, the information available to a router to make those de- cisions can be true and accurate or incorrect, falsified, and misleading.
Secure network design includes protections for routers, routing protocols, and routing information. Physical isolation of a router is important to en- sure that only authorized router administrators can access the device it- self. Failing to protect routers physically means that the logical activities and the resulting routes selected will not be trustworthy.
Routers employ routing protocols to exchange information about routes and connected pathways. This information calculates the best path to guide a packet towards its destination. Depending upon the make and model of router, the routing protocol, and the related configurations, routing data, a hacker can spoof or manipulate through false Internet Control Message Protocol (ICMP) type 5 Redirect messages. Configure routers to only accept routing information from other known routers through authentication of the source. Consider also encrypting all com- munications between routers.
Encrypted protocols are another important aspect of communication pathway security. Even the best design, proper installation, and reason- able physical isolation are not guarantees that a wired or wireless commu- nication channel will not be the target of an eavesdropping, interception, or man-in-the-middle attack. Assuming that physical access is under your control all the time is naive. The possibility of an internal malicious entity or the planting of a socially engineered listening device always exists.
To thwart eavesdropping and related attacks based on eavesdropping, you should encrypt all traffic over a network communication link. This espe- cially applies to any traffic traversing a network segment physically acces-
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 14/31
sible from outside your organization's facilities. But it also applies to physically isolated and internal connections, as well. Compromise of every physical connection is always possible, so the best defense against content eavesdropping is encryption.
Physical access management should always be a part of communication pathway security. Even with encrypted protocols, hackers can gain signifi- cant information by eavesdropping on a network segment. Even if you en- crypt every single packet (which is often not the case), eavesdropping can still glean a wide variety of information about the protected communications.
Such gleaned information can include a count of the number and size of packets. This can estimate the size of the payload delivered which in turn can extrapolate the likely type of data, such as e-mail transmission, Web surfing, file exchange, or database synchronization.
Eavesdropping can also glean the identity of the endpoints of the secured communication. If the transaction is using transport mode encryption, then the endpoints are the actual sending and receiving hosts. If the transaction is using tunnel mode encryption, then the endpoints are ei- ther both VPN gateways or one end is a remote host.
Eavesdropping can also glean the general identity or purpose of each end- point discovered, based on the timing of and volume of traffic sent to and from each discovered endpoint. This can allow an outside user to reliably predict which endpoint is a server, a client, or a VPN gateway.
Generally, data gathering through eavesdropping on communications, whether encrypted or not, is known as traffic and trend analysis. Such analysis can reveal many important details about internal processes and the importance, value, or criticality of systems. Thus, even with encryp- tion, prevention of physical access to communication cables and wireless signals is paramount.
Filtering is another important part of communication pathway security. The movement of data between departments, subnets, WAN connect LANs, and the Internet requires that you monitor and filter communica- tions to prevent violations of disclosure, intrusion, and malicious code in- fection.
Covert channels are a risk for many organizations in communication pathway security and control. As discussed in Chapter 4, covert channels are pathways of communication unknown to or uncontrolled by security systems or personnel. Covert channels, whether timing- or storage-based, can leak information out or bring malicious content in.
The best defenses against covert channels include IDS and intrusion pre- vention system (IPS), as well as thoroughly watching all aspects of an IT infrastructure for aberrant or abnormal events of any type. Predicting covert channels is difficult because their very nature is to remain un- known and unseen.
While planning and designing communication pathway security, evaluate the protections you'll need for inbound and outbound traffic and how to manage internal-only, external-only, or border-crossing communications.
You'll need to examine inbound traffic by asking several key questions. Is the inbound communication a response to a previous request from an in- ternal entity or is it a communication that originates from an outside source? Responses are often allowed, unless the initial request itself was for a resource that's off limits. Restrictions along these lines include blocked protocols, IP address or domain name, unauthorized services and applications, or users without sufficient or correct authorization.
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 15/31
If the communication has external origins, rather than being a response, is the communication generally allowed or not? If the communication is for a resource offered to the public, then the communication could be al- lowed. However, if no public resources exist, the communication is more likely unauthorized.
Is the source address in the communication from a known or unknown location, and if known is it known to be malicious or questionable? If the latter, then blocking the traffic is more likely the proper security stance. Is the traffic obviously spoofed? Does the traffic match any known malicious patterns, have any construction anomalies, or have questionable content? Can it otherwise be classified as abnormal or atypical? In most of these cases, the packet should be dropped rather than allowed to continue on to its claimed destination.
You should subject outbound traffic to the same investigations and analy- sis as inbound. Does the outbound communication take place over an ab- normal protocol or port? Does it attempt to communicate with a blocked or prohibited host or service? Is the traffic spoofed, does it have abnormal time stamps, is it a clone of another packet, or is it part of a flood?
Fortunately, inbound and outbound traffic filtering is the primary func- tion and purpose of firewalls using ingress- and egress-focused filters. Se- cure communications pathway management often requires the use of fire- walls. Firewalls are an essential element in secure network design. For more on firewalls, see Chapter 2.
One final area of concern for communication pathway security is the dif- ference between traffic management based on whether the traffic is inter- nal-only, external-only, or border- crossing. Generally, internal only traf- fic is more trustworthy than any other form of traffic. In most cases, inter- nal traffic originates from a trusted internal host and terminates at a trusted internal host. However, because the possibility always exists of a rogue internal host or a malicious insider, blindly trusting internal traffic just because it originates internally is a security blunder.
A good practice is to treat all traffic with caution. Trust nothing until it's proven to comply with security policy and not to match any known mali- cious patterns. Monitoring and filtering of internal communications is as important as monitoring external and border crossing communications.
Naturally, external only communications are more likely to be malicious, but since they do not end or originate from an internal source, there's usually little need for concern. Malicious activity that does not attempt to breach your network borders is not really your problem. However, if ex- ternal only communications are defined as those that do not interact with your intranet but which may interact with your DMZ or extranet, then you should be concerned.
With this definition of external only communications, you must filter, monitor, and block the most obvious malicious packets and events, but still allow any conforming communication request even if the origin or source is unfamiliar.
Border-crossing communications are those that either leave the intranet heading to the Internet or enter the intranet from the Internet. In either case, an increased risk of compromise exists. Inbound communications could be carrying malicious code or an intrusion attempt. Outbound com- munications could be revealing internal secrets or distributing confiden- tial files. While these are extreme examples, they're not uncommon. Most border-crossing traffic is benign, but since the risk of malicious traffic is greater at border crossings, you need additional filtering, monitoring, and blocking.
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 16/31
Controlling communication pathways is an important part of managing and designing network security. But another important piece of the secu- rity puzzle is management of hardened systems between which the se- cured communications take place.
Hardening Systems Hardening systems focuses on improving security of hosts and nodes. Hardening is the process of reducing the attack surface of a potential target by removing unnecessary components and adding in protections. While each organization usually creates its own custom and internal hard- ening processes and procedures, most hardening guidelines have common elements and components.
Some of the common recommendations to improve the security or harden a host include:
Remove all unnecessary protocols.
Uninstall all unnecessary applications and services.
Define a complex password for all accounts; do not leave any ac- count with a default password or a blank password.
Configure account lockout and define a logon warning banner.
Install all available final release updates, patches, fixes, service packs, and so on for the operating system and every remaining ap- plication and service.
Update all hardware device firmware or BIOS with the lasted final release from the vendor.
Install the latest final releases of all device drivers.
Install and update antivirus and anti-malware scanners.
Configure communication encryption.
Install and configure a host firewall.
Use a file system that supports file level permissions and auditing.
Configure system monitoring and auditing.
Synchronize the clock.
Run vulnerability assessment tools against the host, such as HFNet- ChkPro and Nessus.
Configure regular backups.
Impose any organization-specific security limitations, such as blocking USB drives or using white list execution management; this is often performed using a security template file.
In Windows, disable the guest account, and rename the Administra- tor account. In Unix, establish policies whereby the root account is never used directly, but administrators must "SU" to obtain root ac- cess (thus creating a log of their events).
In addition to these hardening suggestions, organizations add additional steps to their securing procedures based on the purpose of the system, the criticality of the system, and the risk present in the environment.
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 17/31
Once you've hardened your system, you must maintain it over time. On a regular schedule, re-examine every host against your organization's hard- ening policies to ensure compliance. Remove from service any system out of compliance with hardening policies until you are able to bring it into compliance. Then investigate the cause of the security noncompliance and take countermeasures to prevent a re-occurrence.
Equipment Selection Equipment selection is a commonly overlooked aspect of secure network design. The general belief that any hardware capable of performing an IT function is suitable for deployment is, unfortunately, not the case. Both cheap and expensive products may have well-known or not-yet-discov- ered security flaws.
Arbitrarily or automatically choosing the least expensive or the most ex- pensive products isn't a winning security strategy. You should carefully evaluate each piece of computer equipment, from network device to host system for its native security defenses or lack thereof, regardless of its cost.
As you select, purchase, and deploy equipment, consider the vulnerabili- ties introduced and any protections or improvements to the in- frastructure's security stance. Every piece of equipment will either im- prove security or reduce it in some way. Some equipment adds new weak points or expands the organization's attack surface, while other equip- ment will act as a countermeasure, protecting weak points of other com- ponents and reducing the attack surface.
Whenever possible, select equipment providing greater improvement to security rather than acting as a detriment. This seems an obvious guide- line, but you can only follow it if you are conscientious about evaluating the security profile of each device. Failing to evaluate the security of a new device properly could mean that you inadvertently introduce new vulnera- bilities into the organization's network and systems.
Some of the security concerns regarding equipment include:
Electricity consumption—Excessive energy use can cause not only increased electric bills, but also increased temperature within the device and on electrical distribution systems. A circuit drawing too much power can cause a breaker overload. A tripped breaker causes downtime and may cause data loss and equipment damage.
Heat produced—The more heat a device produces, the more the heating, ventilation, and cooling (HVAC) system must work to keep the temperature of the room within acceptable boundaries. Exces- sive heat-producing devices can also increase the risk of fire.
Reset button—A reset button is used to return a device to the de- fault factory settings. Any defined security configuration on the de- vice is lost if someone presses the reset button. When possible, se- lect equipment without a reset button or a button that can be dis- abled to provide physical security for the device.
Easy access power switch—If the power switch is easily accessed or triggered, casual contact with the device could cause power inter- ruption. Additionally, an easy-access power switch allows a mali- cious person to power off equipment or trigger a reboot.
Easy access management console port or interface—If de- vice can be reconfigured through an LCD screen and a few buttons (such as a printer) or if a console or terminal port allows quick ac- cess to a configuration or management interface (such as a wireless
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 18/31
access point, router, or switch), then use caution when deploying the device and assess the level of physical access security.
Removable media—Equipment with removable media bays (such as tapes, optical discs, floppies, and so on) or external peripheral ports (such as Universal Serial Bus USB, firewall, Ethernet, and so on) may be easier to compromise than those with fewer or none of these access points.
Removable case—The easier it is to remove or open the case of a device, the easier it is to hack into the device, plant a listener, or modify its functions.
Portability—Is the device small enough to fit into a pocket, purse, or backpack making it easy to steal?
Rack mountable—A rack-mounted device is less likely to be stolen once screwed into a rack case, which can be locked.
BIOS/firmware flashing—Being able to change the embedded software of a device is both a benefit and a problem. Flashing to an updated more secure version of firmware is a positive benefit. How- ever, being able to replace firmware with a third-party version or an older version with flaws could be a problem if a hacker can perform this easily.
Remote connection—If remote connectivity to a device is possi- ble, then risk increases. Limit, encrypt, and monitor remote connec- tions.
Plaintext protocols—The more a device defaults to or only sup- ports plaintext protocols, the less secure it is. Choose equipment than supports encryption.
Many other aspects of equipment security are important when evaluating the deployment of a new device. Whether a high-end server, a user's note- book, a smart phone, a network router, or anything else, consider the se- curity of equipment thoroughly and don't just make purchasing recom- mendations based on equipment cost.
Keep in mind those devices that are cheap or free up front may cost con- siderably more to manage and secure over time than a more expensive de- vice. However, just because something has a high cost doesn't ensure that it has a low security management requirement. Money alone is rarely the true measure of the security of anything.
Authentication, Authorization, and Accounting Security ultimately is supported and enforced by authentication, autho- rization, and accounting. Without all three of these security fundamentals properly implemented, real security cannot exist.
Authentication is the verification or proof of someone or something's identity. The most common form of authentication is the use of a pass- word. While passwords are the most common, they are also one of the weakest forms of authentication. People typically often pick passwords that are easy to guess or that are somehow predictable. They often re-use the same passwords on multiple systems.
Passwords reside in account databases in hashed form, which means the original password can't be recovered from the hash value. However, by hashing large numbers of potential passwords, password-cracking tech- niques can potentially match a password hash to the target hash. Pass-
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 19/31
word cracking techniques including dictionary attacks, brute force at- tacks, and hybrid attacks can often reveal poorly constructed passwords.
Multifactor authentication is significantly more secure than any single factor form of authentication. Passwords are but one example of the first type of authentication factor. Three commonly recognized authentication factors are:
Type 1—Something you know
Type 2—Something you have
Type 3—Something you are/do
technical TIPtechnical TIP
Password cracking typically focuses on generating and hash- ing large numbers of passwords with the goal of matching a stolen or captured password hash. Dictionary password cracking uses a pre-created list of potential passwords. Each password from the list is hashed using the same hashing al- gorithm as the target/stolen password. If a match is found be- fore the list is exhausted, the attack is successful.
A brute force attack builds potential passwords out of a se- lected character set, creating ever longer and longer pass- words using every possible valid combination of characters. The hacker hashes each crafted password and compares it to the target hash until a match is found or the attack is aban- doned. Given enough time and the right character set, a brute force attack will eventually be successful.
A hybrid attack uses a dictionary list as seed passwords that are then brute-force-modified. First the hacker makes all pos- sible one-character modifications, then two, then three. This technique is often more successful, since many people pick an easy-to-remember word and then make only a few char- acter modifications, such as changing an "a" to a "@" or an "l" to a "1" or just adding one or two characters.
The best defense against password cracking techniques is to select a long password. For example, using at least 15 char- acter passwords on Windows systems avoids the weakness of the backward-compatible (and vulnerable to brute-force cracking) LANMAN hash of passwords 14 character or less. Adding complexity (mixing multiple character types: upper- case, lowercase, numbers, and symbols) and using multiple words or phrases instead of a single base word also improve password strength.
Something you know can be anything you memorize so that you can type, write, or speak it when asked to authenticate. Passwords are the most common example of a Type 1 authentication factor.
Something you have can be anything you must physically carry with you, such as a device or token. These can include metal keys, smart cards, ra- dio-frequency identification (RFID) chips, ID badges, or electronic de- vices known as dynamic password tokens.
technical TIPtechnical TIP
A dynamic password token is a device with a display screen that shows a seemingly random non-repeating one-time use password. The password displayed on the token must be in- cluded in the logon process, usually with a separate Type 1
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 20/31
PIN or password. This two-part mechanism is a form of multi- factor authentication.
Something you are or do is commonly known as biometrics. Some part of the human body is used as an element in an authentication process. This can include fingerprints, retina scans, facial geometric, palm scans, signa- ture dynamics, keystroke dynamics, and voice-pattern analysis.
A mixture of two or more authentication factors is multifactor authentica- tion. Multifactor- authentication is much more secured than single-factor. With single factor authentication, an attacker only needs to have a single skill or exploit to successfully log on with a compromised user account. With multifactor authentication, an attacker needs to have multiple skills or exploits to successfully log on with a compromised user account.
Strong authentication prevents unauthorized entities from gaining easy access to the internal workings of an organization's infrastructure. Apply strong authentication to the logical environment as well as the physical environment.
Authorization, commonly known as access control, defines what actions a user can and can't perform. Proper granular use of authorization ensures that authorized users perform only authorized activities.
The principle of least privilege is often a good guideline on which are the most appropriate authorization settings to make. This principle states that you should grant users the fewest capabilities, permissions, and privileges possible to complete their assigned work, without additional capabilities. In other words, you grant users enough power and access to perform their assigned work but no additional capabilities beyond their job descriptions are necessary.
Accounting is the activity of logging, monitoring, and auditing the envi- ronment, focusing both on users as well as system activities, to check for security policy compliance. Accounting is the process of holding users and systems accountable for their actions and activities. Through the use of thorough accounting and detailed auditing, you can detect and respond to any violations, attempt to violate, or trends towards violations.
Remember, security is locking things down then watching for attempts to breach the lock. Authentication and authorization are a form of locking, and accounting is the watching. However, these are not the only forms of locking and watching on a secure network. Another important area of net- work security is communication encryption.
Communication Encryption Communication encryption is the use of encryption protocols to secure the contents of communications. Use encryption anytime a transaction occurs with an outside entity. Use encryption when a communication crosses a segment that is at risk to eavesdropping. You should also use en- cryption internally whenever the potential for loss or compromise, even by internal personnel, would cause significant harm to the organization.
You can protect transactions by encryption in two main ways. One is to use encapsulating intermediary protocols that provide encryption, such as IPSec and SSL/TLS; another is to encrypt data before goes to a network protocol.
Protocol encryption ensures that all or most data sent over the network is safe from eavesdropping, modification, and other forms of compromise. A widely used mechanism of protocol encryption is that of a VPN. VPNs can
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 21/31
function between individual systems or between entire networks or any other combination of endpoints.
Data encryption, performed either by the client or server software, en- sures that even if the protocol encryption fails or is compromised, the data itself is safe by its own encryption. Software or data encryption is not as interoperable as protocol or VPN encryption, but it can be a viable option when both endpoints of the transaction are using compatible software components.
When in doubt, always encrypt. While not a perfect solution, since no per- fect security solution exists, encryption offers significant protections from outside eavesdropping and modification. However, encryption fails if the selected algorithm is poor, insecure key management exists, if either end- point of the communication has been compromised (such as by hacker in- trusion or planting of malicious code), or if intermediary network nodes that decrypt and reencrypt fail.
Choosing to encrypt by default is an excellent network security rule of thumb. This guideline does not imply that the same encryption protects both internal only-communications as well as those that cross the net- work's boundaries. In deciding what encryption to use, it's important to consider where the hosts are located.
Hosts: Local Only or Remote and Mobile When designing network security, focus on the function of each device as well as the physical and logical location of the device. When a host is local and communicates with only other local hosts, then you can use slightly less stringent application of security on internal communications. Howev- er, when a host is remote or mobile or otherwise outside of the private network, use significant additional precautions.
Once you allow remote access, you lose the benefit of the physical access controls. Once you support remote connectivity, a hacker or intruder need no longer be physically present in a facility to launch an attack. Thus, re- mote access itself is a risk, and it lowers the overall security of an environ- ment. To compensate for this security reduction, you should impose more rigid limitations in terms of authentication, authorization, and account- ing.
As security is designed and deployed, consider the purpose or function of each device, especially clients and servers, as well as its location in one (or more) of the seven domains of a typical IT infrastructure (see Figure 5-1). Then, consider what other devices will need to communicate with it. The more vulnerable the communications pathways, the more security you will need to impose.
If both endpoints are physically located in the same facility, but the net- work pathway linking them involves any exterior segments, then the transaction demands greater security than a local-only communication. If the endpoints are geographically distant, then you need to use encrypted communications.
Remote and mobile devices are inherently more risky as they are exposed to a greater number of potential threats. Inside the office, most threats are known, controlled, and monitored. But mobile and remote devices are po- tentially exposed to unknown, uncontrolled, and unmonitored situations, data, software, and users. Being outside of the organization's facility also means less strictly controlled physical access to the device.
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 22/31
technical TIPtechnical TIP
Location-aware anti-theft software periodically collects IP in- formation and any available location data and uploads it to a centralized site. If the owner of a system reports the item lost or stolen, this automatically posted data might help recover the device. However, if the thief reformats the hard drive, then the anti-theft software might be removed.
These changes to security and potential exposure to risks require addi- tional protections on remote and mobile devices. These devices should continue to host antivirus scanners, anti-malware scanners, and host fire- walls. But they can also benefit from whole hard drive encryption, multi- factor authentication, and location-aware anti-theft software.
Remote and mobile devices are most likely to be out of compliance with security requirements, such as patch levels or application of security tem- plates. A Network Access Control (NAC) system can isolate and quaran- tine devices until they have installed all the necessary patches and up- dates.
Even with good host management, whether local, remote, or mobile, con- sider redundancy requirements. Is one of something enough or just enough to cause a significant problem when it goes offline?
Redundancy Security is not complete without adequately addressing preparedness. Redundancy is at the heart of preparedness. Can your organization sur- vive downtime, blackouts, communication loss, server crashes, hard drive failure, floods, building eviction, virus infection, or any other potential threat? In most cases the ability to answer, "yes, the organization can sur- vive" is dependent upon the level of preparedness of that organization.
Preparedness is also known as business continuity planning or disaster recovery planning. The purpose of such planning is to ensure a plan exists to recover from any realistic threat. Assess each serious threat to the sta- bility and function of the organization. Then, develop procedures to re- spond to the threat. The procedure can focus on prevention or recovery (or a combination of both).
A core element throughout this form of planning is redundancy. Redun- dancy is the act of avoiding single points of failure by building in multiple elements, pathways, or methods of accomplishing each mission-critical task.
Redundancy works in many ways. Redundant Array of Inexpensive Disks (RAID) is a form of redundancy for hard drives. RAID protects against drive failure. Uninterruptible Power Supply (UPS) is a form of redundan- cy for power. UPS devices provide temporary power in the event of a brownout or blackout. A UPS can trigger a graceful shutdown to prevent loss of data if facility power is not restored promptly.
Redundancy can apply to communication pathways. Good network design requires at least two pathways to every important resource. Redundant links to and from clients may not be a strong need in most cases, but hav- ing multiple pathways to reach resources is often essential.
Redundant communication links for voice and data are also important considerations. Construction workers could accidentally dig in the wrong location and sever the primary wire bundle supporting the organization. Redundant lines to service providers could make the difference between a
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 23/31
nuisance and a company-ending event. Do you want to leave the power of terminating your organization in the hands of outsiders?
Redundant firewalls, proxies, routers, switches, servers, and databases begin to make security and financial sense once they become an essential or mission-critical element of the IT infrastructure. Don't entrust the via- bility of an organization to any single component. Always have a sec- ondary option or back-up plan.
Failing to plan is planning to fail. Hardware failures, mistakes, accidents, or intentional damage will occur in every system in an organization at some point. No organization is immune. The difference is whether an or- ganization is prepared for the problem with a ready-to-use response solu- tion, or will be caught off guard, scrambling to recover in a panic.
Node Security Implementing network security is about both the big picture and the granular details. Infrastructure design, topology, and redundancy are all important big-picture items. But do not overlook the details that need at- tention on a node-by-node basis.
A node is any device on the network, even those without an IP address. Node security focuses on the tasks for each type of networking device to improve its security. Node security or node hardening takes the generic recommendations of system hardening and expands them with additional node/host specific improvements.
Clients Clients are the devices directly controlled by people. Thus, clients must protect the network from the user and vice versa. Thinking of clients as two-way interfaces can assist in proper security design and implementa- tion for this command and essential IT infrastructure component.
Every client needs the following security elements:
Antivirus and anti-malware scanners
Host firewall
Secured Internet client software—browser, e-mail, file transfer, chat, and so on.
Password-protected screen saver with auto timeout
Ability to encrypt network communications
Ability to encrypt storage devices
Auditing of all user activity
An integrity checking system that monitors for unauthorized file changes using hash value comparison
Clients should be subject to NAC procedures to prevent an insecure client from compromising the rest of the network. Use multifactor authentica- tion whenever possible to minimize the risk of an unauthorized person gaining access to the client and hence the entire network.
Servers Servers are the backbone of any IT infrastructure. Whether a file server, database host, e-mail server, proxy server, or authentication server, a
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 24/31
server is usually supporting an essential or mission-critical function for the organization. Servers need protection against downtime. This can in- clude redundancy in terms of RAID, duplicate servers, and/or clustering.
Duplicate servers means having two identically configured systems run- ning side by side, but only one is performing services live for the network. The second system is acting as a backup and receives all data changes as they occur. In the event of the primary server failure, the secondary server can take over supporting the services for the network.
Clustering is having two or more identically configured systems running as a collective. All the systems share in supporting the live service to the network. If any member of the cluster goes offline, the remaining mem- bers continue supporting the service. Clustering allows for a service to be available consistently while still allowing for scheduled maintenance and occasional individual server downtime.
Servers need strong multifactor authentication to ensure that only admin- istrators ever have the ability to log into them at the keyboard. You should sequester servers in a dedicated room or vault to prevent casual or inten- tional access by unauthorized users. Lock and monitor the server vault at all times.
Routers Routers are an essential traffic-management device of any network. Net- work router security is primarily about preventing unauthorized access. First and foremost, a router should be physically inaccessible to any non- administrator. All router configuration or management interfaces must require strong authentication. Some environments have elected to elimi- nate local accounts on the routers themselves and rely upon Terminal Ac- cess Controller Access-Control System Plus (TACACS+) for router authen- tication and access.
Limit management interface access to a direct console or terminal cable connection only, rather than allowing in-network access. Require that all management interface communications and router-to-router communica- tions be encrypted.
If a password is stored in a configuration file for the router, be sure to use an encoding scheme that is not easily cracked or reverse engineered. For example, the Cisco IOS password 7 hashing method uses a weak reversible algorithm and can be cracked easily using software tools dating back to 1997.
Generally, configure the following on the router:
Block all directed IP broadcasts.
Drop all packets from the Internet using an RFC 1918 source ad- dress or any other internal address.
Disable the TCP and UDP small services of echo, chargen, discard, and daytime.
Enable a warning banner for all attempted connections to the router, especially to the management interface.
If SNMP is used on the network, require the use of SNMP v3 that allows for encrypted transactions and authentication of SNMP sessions. Then, use custom community names rather than the default public or private communities.
Consider the software or firmware of the router. Only install full final re- leases, never beta or partial firmware. If you are concerned that the latest
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 25/31
release has not been thoroughly tested in the real world, sticking with a previous release is acceptable, provided there are no published reports of critical security flaws.
Try to limit the use of a router as a filtering device. Keep the router table focused on traffic routing and implement firewalls to provide content fil- tering and blocking of suspicious or malicious traffic. Protect any router considered a border router with a firewall.
Switches Switch security is similar to that of router security. Maintain control over who can physically reach the switch. Limit access to management con- soles and require strong authentication to access the management inter- face. If a password is stored in a configuration file for the switch, be sure to use an encoding scheme not easily cracked or reverse engineered.
If SNMP is used on the network, require the use of SNMP v3 that allows for encrypted transactions and authentication of SNMP sessions. Then, use custom community names rather than the default public or private communities.
Consider the software or firmware of the switch. Only install full final re- leases, never beta or partial firmware. If you are concerned that the latest release has not been thoroughly tested in the real world, sticking with a previous release is acceptable, provided there are no published reports of critical security flaws.
Consider deploying switches that support IDS-like features such as watch- ing for MAC spoofing and ARP flooding. MAC spoofing tricks a switch into thinking a hacker's computer is actually a legitimate host. The hacker steals or spoofs a legitimate MAC address. If a switch is monitoring for MAC addresses that change ports, then MAC spoofing ceases to be a seri- ous threat, unless a hacker can physically access the port connection of the MAC he is trying to spoof.
ARP flooding overloads a switch's mapping table, so that instead of for- warding packets out the correct port the switch will default into flooding mode and transmit packets out all ports. This type of attack is part of ac- tive sniffing. Active sniffing is an attempt to eavesdrop on switched net- works.
Use switch features such as Virtual Local Area Network (VLAN) support and auditing port. VLANs are hardware-imposed network segmentation. VLANs control traffic. Using VLANs to manage traffic is often cost-effec- tive, since it does not require re-cabling or changing of IP addresses; as all of the VLAN configuration takes place within the switch.
The audit, mirror, or IDS port on a switch connects an IDS or IPS to mon- itor all the traffic traversing the switch. Since a switch only transmits data out the port where its intended destination resides, attempting to monitor all traffic on a switched network is not possible without the use of the au- diting port.
Also, disable all unused switch ports. This prevents the easiest method of adding rogue devices to a network—namely just plugging into an open port.
Firewalls and Proxies Firewalls and proxies defend the network, but you need to secure them, as well. Otherwise, if a hacker can compromise the firewall, then the security it provides is unreliable.
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 26/31
Firewalls and proxies, as with routers and switches, need physical access protection. No non-administrative user should be able to gain direct phys- ical contact with a firewall or proxy. Limit access to management consoles and require strong authentication to access the management interface. If a password is stored in a configuration file for the firewall or proxy, be sure to use an encoding scheme not easily cracked or reverse engineered.
If simple network management protocol (SNMP) is used on the network, require the use of SNMP v3 that allows for encrypted transactions and au- thentication of SNMP sessions. Then, use custom community names rather than the default public or private communities.
Consider the software or firmware of the firewall or proxy. As noted earli- er, only install full final releases, never beta or partial firmware. If you are concerned that the latest release has not been thoroughly tested in the real world, sticking with a previous release is acceptable, provided there are no published reports of critical security flaws.
A firewall should drop all packets addressed directly to the firewall, as the firewall does not host traditional services accessed in this manner. The same is generally true of a proxy server, but some instances apply where the proxy server is either directly communicated with or that hosts addi- tional accessible resources.
Make a final security evaluation of any device, including firewalls, proxies, switches, routers, servers, and clients. You can perform this evaluation us- ing an automated vulnerability scanning tool or a custom manual penetra- tion test. The goal is to find any remaining vulnerabilities in these devices so they can be made as secure as possible, as quickly as possible.
CHAPTER SUMMARY Network security implementation relies on a thorough understanding of your organization, its goals, its risks, and the technologies employed with- in your IT infrastructure. Before you can properly deploy network securi- ty, you must first design it. Most network security designs include layers of defense as well as sufficient capacity for growth.
Network security includes an evaluation of the protocols and topologies your organization uses. If the current design is insufficient, replace it with a design that addresses productivity and security. You need to assess the addressing schemes in use, whether public or private, static or dynamic, in light of how they improve or detract from security.
Other important components of network security design and deployment include controlling communication pathways; hardening systems; and se- lecting proper equipment, authentication, authorization, accounting, communication encryption, types of hosts, redundancy, and node security specifics.
KEY CONCEPTS AND TERMS AppleTalk
Attack Surface
Brute force attack
Bus topology
Dictionary attack
File Transfer Protocol (FTP)
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 27/31
Full Mesh topology
Hybrid attack
Internet Assigned Numbers Authority (IANA)
Internetwork Packet Exchange/Sequenced Packet Ex- change (IPX/SPX)
Latency
Line topology
Logical topology
Modeling
NetBIOS
NetBIOS Extended User Interface (NetBEUI)
Network News Transfer Protocol (NNTP)
Partial Mesh topology Physical topology Piloting
Post Office Protocol (POP)
Redundancy
Regional Internet Registry (RIR)
Ring topology
Security through obscurity
Simple Mail Transfer Protocol (SMTP)
Star topology
Subnetting
Sunk cost
Systems Network Architecture (SNA)
Telnet
Topology
Tree topology
CHAPTER 5 ASSESSMENT 1. Which of the following is not an important factor when included as
part of network design?
1. Usability
2. Capacity
3. Obscurity
4. Growth
5. Defense-in-depth
2. All of the following are elements of network design except:
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 28/31
1. Satisfying security goals
2. Understanding of the seven domains of IT infrastructure
3. Implementing multiple layers of defense
4. Thorough research and planning
5. Utilizing a single vendor
3. Which IT infrastructure domain does not require firewalls to be in- cluded as part of its network design?
1. Workstation domain
2. LAN domain
3. User domain
4. Remote Access domain
5. System/Application domain
4. Which of the following is a benefit of private addressing that is not present in public addressing?
1. Isolation from the Internet
2. Subnetting
3. Use of IPv6
4. Routing traffic
5. Filtering by source and designation address
5. Why would a network implement public addresses internally in- stead of private addresses?
1. Avoid the use of NAT
2. Be able to custom subnet
3. Maintain isolation from the Internet
4. Prevent external initiation of communications with internal hosts
5. Reduce costs
6. How can static addresses be simulated with DHCP?
1. Round robin assignment
2. Manual configuration on each host
3. Duplicate MAC addresses
4. Reservations
5. DNS reverse lookup
7. Which of the following is a flaw or weakness that both static and dy- namic addressing share?
1. Assignment server can go offline
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 29/31
2. Changes required manual modification on each host
3. Public queries will fail
4. Hackers can spoof valid addresses
5. The first half of the address identifies the NIC vendor
8. What is a primary benefit of system hardening?
1. It reduces user performance
2. It increases network throughput
3. It decreases the attack surface
4. It improves host ROI
5. It tracks attempted intrusions
9. All of the following are elements of system hardening except:
1. Removing unnecessary protocols, services, and applications
2. Implement ingress and egress filtering against spoofed addresses
3. Installing patches and updates
4. Configure encryption for storage and communication
5. Installing antivirus and a host firewall
10. All of the following are true statements about system hardening except:
1. System hardening is a one-time process that does not need to be repeated on the same host.
2. System hardening removes or reduces many known vulnerabilities.
3. System hardening is different for each system with a unique function.
4. System hardening is dependent on the location or placement of a host within the seven common domains of an IT infrastructure.
5. Any system discovered to be out of compliance with system hardening guidelines should be quarantined until it can be repaired.
11. System hardening should be applied to all of the following except:
1. Clients
2. Servers
3. Switches
4. Routers
5. Cable adapters
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 30/31
12. Which of the following is not usually part of the system hardening process?
1. Update hardware firmware or BIOS
2. Install additional RAM
3. Configure a backup process
4. Configure account lockout
5. Replace outdated device drivers
13. What is the essential purpose or function of authentication?
1. Control access to resources
2. Monitor for security compliance
3. Watch levels of performance
4. Verify entity identity
5. Prevent distribution of malware
14. What is the essential purpose or function of authorization?
1. Grant or deny access to resources
2. Check policy compliance
3. Identify entities
4. Monitor levels of utilization
5. Detect spoofed content
15. What is the essential purpose or function of accounting?
1. Detect intrusions
2. Prove identity
3. Control access to assets
4. Record the activities and events within a system
5. Throttle transactions
16. What is the essential purpose or function of encryption?
1. Verify integrity
2. Prove the identity of endpoints
3. Protect content from unauthorized third parties
4. Maintain performance
5. Validate parking
17. A remote host has all of the following additional security issues or concerns in comparison with a local host except:
1. Potential exposure to unfiltered Internet
11/9/2020 5. Network Security Implementation - Network Security, Firewalls, and VPNs
https://learning.oreilly.com/library/view/network-security-firewalls/9780763791308/ch05.html 31/31
Support / Sign Out © 2020 O'Reilly Media, Inc. Terms of Service / Privacy Policy
2. Poor end user training
3. Greater risk of physical theft
4. Possible lack of patches and updates
5. Additional interaction with external entities
18. Which of the following is a protection against a single point of failure?
1. Encryption
2. Filtering
3. Auditing
4. Redundancy
5. VPNs
19. When performing node security on a router, all of the following are important concerns, except:
1. Block all directed IP broadcasts
2. Disable echo, chargen, discard, and daytime
3. Watch for MAC spoofing
4. Drop RFC 1918 addressed packets from the Internet
5. Enable a warning banner for all attempted connections
20. When configuring node security on a switch, all of the following are important elements except:
1. Enable keystroke logging
2. Limit access to management interfaces
3. Monitor for ARP flooding
4. Upgrade to SNMP v3
5. Use a final version of firmware
P R E V TWO. Technical Overview of Network Security, Firewalls, and VPNs
⏮ N E X T
6. Network Security Management ⏭
