Network Security Infrastructure

The concept of redundancy is to design systems with duplicate components so that if a failure were to occur, there would be a backup.

If the organization requires full redundancy, devices should have two power supplies connected to diverse power sources.

if one of the parties experiences an emergency and cannot operate within their own facility, the other party will share its resources and let them operate within theirs in order to maintain critical functions.

JOA joint operating agreements - not compete based on safety and security—they are going to compete on service, price and customer loyalty.

“cloud” means “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (such as networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

A managed service provider (MSP) is a company that manages information technology assets for another company

The cloud computing service-level agreement (cloud SLA) is an agreement between a cloud service provider and a cloud service customer based on a taxonomy of cloud computing– specific terms to set the quality of the cloud services delivered.

SaaS provides access to software applications but not the equipment necessary for customers to build and operate their own software.

IaaS provides use of hardware and related equipment that is retained by the provider but does not allow customers to build and operate their own software in the most suitable way, since it would also require them to manage the operating systems as well.

PaaS typically provides a set of software building blocks and development tools, such as programming languages and supporting a run-time environment, that facilitate the construction of high-quality, scalable applications.

SLA is a service-level agreement and is not a cloud service deployment model.

Network segmentation involves controlling traffic among networked devices. Complete or physical network segmentation occurs when a network is isolated from all outside communications, so transactions can only occur between devices within the segmented network.

A DMZ is a network area that is designed to be accessed by outside visitors but is still isolated from the private network of the organization. The DMZ is often the host of public web, email, file and other resource servers.

VLANs are created by switches to logically segment a network without altering its physical topology.

A virtual private network (VPN) is a communication tunnel that provides point-to-point transmission of both authentication and data traffic over an untrusted network.

Defense in depth uses multiple types of access controls in literal or theoretical layers to help an organization avoid a monolithic security stance.

Network access control (NAC) is a concept of controlling access to an environment through strict adherence to and implementation of security policy.

Defense in depth provides more of a starting point for considering all types of controls—administrative, technological, and physical

Zero trust networks are often microsegmented networks, with firewalls at nearly every connecting point. Placing a greater number of firewalls or other security boundary control devices throughout the network increases the number of opportunities to detect a troublemaker before harm is done adds defenses at the user, asset and data level, rather than relying on perimeter defense.

every process or action a user attempts to take must be authenticated and authorized

We need to be able to see who and what is attempting to make a network connection

Ensure that all devices wishing to join the network do so only when they comply with the requirements laid out in the organization policies

Critically important that all mobile devices, regardless of their owner, go through an onboarding process, ideally each time a network connection is made, and that the device is identified and interrogated to ensure the organization’s policies are being met

WAF has an internal and an external connection like a traditional firewall, with the external traffic being filtered by the traditional or next generation firewall first. It monitors all traffic, encrypted or not, from the outside for malicious behavior before passing commands to a web server that may be internal to the network.

Examples of embedded systems include:

1. network-attached printers

2. smart TVs

3. HVAC controls

4. smart appliances

5. smart thermostats

6. medical devices

A fundamental design requirement of microsegmentation is to understand the protection requirements for traffic within a data center and traffic to and from the internet traffic flows.

Microsegmentation allows for extremely granular restrictions within the IT environment, to the point where rules can be applied to individual machines and/or users, and these rules can be as detailed and complex as desired.

(VLANs) allow network administrators to use switches to create software-based LAN segments, which can segregate or consolidate traffic across multiple switch ports.

VLANs can be configured based on:

1. switch port

2. IP subnet

3. MAC address

4. protocol

VLAN hopping

VLAN hopping

VLAN hopping is a security vulnerability that can occur in a network environment where Virtual LANs (VLANs) are improperly configured, allowing an attacker to gain unauthorized access to traffic in other VLANs. VLAN hopping can occur in different ways, such as Double Tagging (Q-in-Q) and Switch Spoofing attacks. Here's how to defend against VLAN hopping:

1. Proper VLAN Configuration:

• Native VLAN: Ensure that the native VLAN (the default VLAN) is not used for transmitting user traffic. Assign it only for management purposes.

• VLAN Segmentation: Properly segment VLANs to prevent unauthorized access between VLANs.

2. VLAN Trunk Security:

• Disable Unused Ports: Disable unused switch ports that are not in use to prevent attackers from connecting and attempting to hop VLANs.

• Use Port Security: Implement port security mechanisms to control the number of MAC addresses allowed on a port.

3. VLAN Pruning:

• Use VLAN Pruning: Enable VLAN pruning on trunk ports to prevent the forwarding of unnecessary broadcast traffic to unauthorized VLANs.

4. Port Isolation:

• Private VLANs: Utilize Private VLANs to isolate devices within the same VLAN from communicating with each other.

5. VTP Configuration:

• Disable VTP: If not needed, disable the Cisco VLAN Trunking Protocol (VTP) to prevent unauthorized VLAN propagation.

6. Switch Spoofing Mitigation:

• Implement Switch Spoofing Prevention: Use features like Dynamic ARP Inspection (DAI) to prevent ARP spoofing attacks.

7. Double Tagging Prevention:

• Validate Received Packets: Configure switches to validate incoming packets with multiple VLAN tags and discard those with unexpected tags.

8. VLAN Access Control:

• Use 802.1X Authentication: Implement IEEE 802.1X port-based authentication to control access to VLANs.

9. Network Monitoring:

• Monitor Network Traffic: Continuously monitor network traffic and look for anomalies that might indicate VLAN hopping attempts.

10. Regular Audits: - Conduct Security Audits: Periodically audit your network's VLAN configuration and security controls.

11. VLAN Documentation: - Document VLAN Configurations: Maintain clear documentation of your VLAN setup and configurations.

12. Security Awareness: - Train Network Administrators: Educate network administrators about VLAN hopping risks and mitigation strategies.

13. Vendor Security Advisories: - Stay Informed: Stay up to date with vendor security advisories and apply recommended patches or fixes.

14. Penetration Testing: - Perform Penetration Testing: Regularly test your network for vulnerabilities, including potential VLAN hopping vulnerabilities.

By following these best practices and ensuring proper configuration and security measures, you can significantly reduce the risk of VLAN hopping attacks and maintain the integrity and isolation of your network segments

VLANS are virtual separations within a switch and are used mainly to limit broadcast traffic.

A VLAN can be configured to communicate with other VLANs or not, and may be used to segregate network segments.

VLANs are used for:

1. separate Voice Over IP (VOIP) telephones from the corporate network

2. separate the data center from all other network traffic

3. segment networks

   1. Separate the payroll workstations from the rest of the workstations in the network

   2. Routing rules can also be used to only allow devices within this Payroll VLAN to access the servers containing payroll information

4. limit the amount of broadcast traffic within a network

are:

1. logically separated

2. may be allowed to access other VLANs

3. can be configured to deny access to other VLANs

VPN is simply a point-to-point connection between two hosts that allows them to communicate.

Terms

• Application programming interface (API) - A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or web tool.

• Bit - The most essential representation of data (zero or one) at Layer 1 of the Open Systems Interconnection (OSI) model.

• Broadcast - Broadcast transmission is a one-to-many (one-to-everyone) form of sending internet traffic.

• Byte - The byte is a unit of digital information that most commonly consists of eight bits.

• Cloud computing - A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST 800-145

• Community cloud - A system in which the cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy and compliance considerations). It may be owned, managed and operated by one or more of the organizations in the community, a third party or some combination of them, and it may exist on or off premises. NIST 800-145

• De-encapsulation - The opposite process of encapsulation, in which bundles of data are unpacked or revealed.

• Denial-of-Service (DoS) - The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.) Source: NIST SP 800-27 Rev A

• Domain Name Service (DNS) - This acronym can be applied to three interrelated elements: a service, a physical server and a network protocol.

• Encapsulation - Enforcement of data hiding and code hiding during all phases of software development and operational use. Bundling together data and methods is the process of encapsulation; its opposite process may be called unpacking, revealing, or using other terms. Also used to refer to taking any set of data and packaging it or hiding it in another data structure, as is common in network protocols and encryption.

• Encryption - The process and act of converting the message from its plaintext to ciphertext. Sometimes it is also referred to as enciphering. The two terms are sometimes used interchangeably in literature and have similar meanings.

• File Transfer Protocol (FTP) - The internet protocol (and program) used to transfer files between hosts.

• Fragment attack - In a fragment attack, an attacker fragments traffic in such a way that a system is unable to put data packets back together.

• Hardware - The physical parts of a computer and related devices.

• Hybrid cloud - A combination of public cloud storage and private cloud storage where some critical data resides in the enterprise’s private cloud while other data is stored and accessible from a public cloud storage provider.

• Infrastructure as a Service (IaaS) - The provider of the core computing, storage and network hardware and software that is the foundation upon which organizations can build and then deploy applications.  IaaS is popular in the data center where software and servers are purchased as a fully outsourced service and usually billed on usage and how much of the resource is used.

• Internet Control Message Protocol (ICMP) - An IP network protocol standardized by the Internet Engineering Task Force (IETF) through RFC 792 to determine if a particular service or host is available.

• Internet Protocol (IPv4) - Standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks. CNSSI 4009-2015

• Man-in-the-Middle - An attack where the adversary positions himself in between the user and the system so that he can intercept and alter data traveling between them. Source: NISTIR 7711

• Microsegmentation - Part of a zero-trust strategy that breaks LANs into very small, highly localized zones using firewalls or similar technologies. At the limit, this places firewall at every connection point.

• Oversized Packet Attack - Purposely sending a network packet that is larger than expected or larger than can be handled by the receiving system, causing the receiving system to fail unexpectedly.

• Packet - Representation of data at Layer 3 of the Open Systems Interconnection (OSI) model.

• Payload - The primary action of a malicious code attack.

• Payment Card Industry Data Security Standard (PCI DSS) - An information security standard administered by the Payment Card Industry Security Standards Council that applies to merchants and service providers who process credit or debit card transactions.

• Platform as a Service (PaaS) - The web-authoring or application development middleware environment that allows applications to be built in the cloud before they’re deployed as SaaS assets.

• Private cloud - The phrase used to describe a cloud computing platform that is implemented within the corporate firewall, under the control of the IT department. A private cloud is designed to offer the same features and benefits of cloud systems, but removes a number of objections to the cloud computing model, including control over enterprise and customer data, worries about security, and issues connected to regulatory compliance.

• Protocols - A set of rules (formats and procedures) to implement and control some type of association (that is, communication) between systems. NIST SP 800-82 Rev. 2

• Public cloud - The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. NIST SP 800-145

• Simple Mail Transport Protocol (SMTP) - The standard communication protocol for sending and receiving emails between senders and receivers.

• Software - Computer programs and associated data that may be dynamically written or modified during execution. NIST SP 80-37 Rev. 2

• Software as a Service (SaaS) - The cloud customer uses the cloud provider’s applications running within a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Derived from NIST 800-145

• Spoofing - Faking the sending address of a transmission to gain illegal entry into a secure system. CNSSI 4009-2015

• Transport Control Protocol/Internet Protocol (TCP/IP) Model - Internetworking protocol model created by the IETF, which specifies four layers of functionality: Link layer (physical communications), Internet Layer (network-to-network communication), Transport Layer (basic channels for connections and connectionless exchange of data between hosts), and Application Layer, where other protocols and user applications programs make use of network services.

• Virtual Local Area Network (VLAN) - A logical group of workstations, servers, and network devices that appear to be on the same LAN despite their geographical distribution.

• VPN - A virtual private network (VPN), built on top of existing networks, that can provide a secure communications mechanism for transmission between networks.

• Wireless Area Network (WLAN) - A group of computers and devices that are located in the same vicinity, forming a network based on radio transmissions rather than wired connections. A Wi-Fi is network is a type of WLAN.

• Zenmap - The graphical user interface (GUI) for the Nmap Security Scanner, an open-source application that scans networks to determine everything that is connected as well as other information.

• Zero Trust - Removing the design belief that the network has any trusted space. Security is managed at each possible level, representing the most granular asset. Microsegmentation of workloads is a tool of the model.