The first post in the Security+ series will cover network devices that help protect our infrastructure from black hats and as well as our own unaware users. It will give you a list of devices, their role and most common features they utilize.
So sit back, play some good music and as my virtual spinning instructor says, “take a deep breath this going to be taught”.
Random trivia: Foo Fighters played during article creation.
Firewalls are mostly used at network perimeter for zoning or security isolation between various segments such as Internet, Intranet and DMZ. They come in various forms and with different features. One of the basic services they provide is statefull traffic inspection. It means that the firewall keeps track of connections made from one zone to another and allows return traffic. This information is stored in state table. Other popular features include network address translation. Since many of modern web applications ride on top of HTTP(S), today firewalls provide also an application level visibility at L7 besides traditional inspection only at L3/L4. You are going to pay extra for this.
Web Application Firewall is a special type of device or service that understand the logic at L7 of OSI model. It can recognize and mitigate common web-based attacks. Some examples of these attacks include XSS, SQL Injections or other types of abuses toward web app input fields.
DDoS protection and mitigation is important if major of our business revenue depends on availability of your site. This service can have form of an appliance or a service that can be leased from third party company. One the the solutions out there is Prolexic, which is now part of Akamai. The way it works is that you direct your traffic through their infrastructure and during a DDoS attract this service will filter malicious traffic and allow only legitimate users connect to your services.
Routers, from security point of view can provide some essential services as well. Depending on size of organization, these boxes may combine some firewall features, sacrificing some additional CPU cycles. Besides their primary duty, route packets, they can also have features such as Unicast Reverse Path Forwarding, which protect against spoofing attacks, for example someone on internet would interpersonal one of your internal hosts to redirect return traffic inside your network. Access Control Lists are another essential tool for policy enforcement. They allow you to permit or deny certain communication based on information at L3/L4 of OSI Reference model. Some routers have more advanced firewalling capabilities, such as Class-Based Access Control and Zone-Based Firewall, both can be found in Cisco’s IOS.
Yes, also these little boxes that sit at our wiring closets can help securing the infrastructure. One of the most common features is called Port Security. It can protect against various types of attacks, such as CAM overflow where you can limit the number of allowed MAC addresses per port. I would not use this feature to prevent spoofing attacks, since MAC address can be change on host very easily. If you want to allow network access based on user identity, good approach is to go with 802.1x. This framework offers comprehensive set of features, where users need to authenticate before they can access your network. To prevent against MITM and DoS attacks at switched domain, DHCP snooping and Dynamic ARP Inspection can be helpful. DHCP Snooping tracks DHCP control communication and allows only trusted servers to hand out IP address. DIA is complementary feature and helps protects address resolution process, so attacker cannot respond on behalf of someone else on segment. These features work together.
There are many other control plane protocols at switch-level, for example, Spanning Three hardening is recommended. Look at features like BPDU and Root Guard.
You many not know, but you are using load balancers every day. Sometimes these devices are called Application Delivery Controllers or Forward Proxies . Their primary role is to increase service availability by load-balancing traffic to multiple servers that all provide the same resources. Over the time, these devices evolved from this role to also provide services such as SSL/TLS offloading, Authentication Offloading, Advanced Health Checking, Global Traffic management, Caching, Compression and Application Firewall They operate at L3-L7 of OSI stack. SSL offloading is a feature that allows you terminate a secure tunnel and look at L7 data. Based on this data, you can forward it to right resource. For example a multinational company may have web presence in multiple languages and it can select the right pool of servers based on your geographic location.
Proxy servers are another useful device used for security enforcement. They usually sit between the Internet and Intranet, for example in DMZ. They are the middle mans that control what you are allowed to see and what not or even if you are allowed to out at all. These web-filtering policies use blacklisting or whitening approach. The companies that make these devices maintain a list of sites and their categories. For example gambling sites or social networking sites. Then, when you initiate connection from inside, your browser initiate a connection to proxy and the proxy then initiates connection to final destination. With the right configuration they can even intercept SSL/TLS traffic.
Other common jobs that these devices do are, content caching, network address translation, application level security and Internet usage reporting – top site hits, top talkers.
Web Security Gateways
This term is used for device that can inspect application level traffic, for example advanced firewall, spam filters, or proxy can be called with this name.
Historically Network Intrusion Detection System were used to detect an attack targeted at services running on servers. This device would get a copy of each packet and compare its content against a predefined set of attack signatures. If a match is found, IDS can send an alert and sometimes send a TCP Reset to source or it can instruct other device to take an action – firewall, router. As you see the attack has already taken its place.
With today threats IDS approach is no longer feasible. Intrusion Prevention System evolved from IDS. It brings more features. it can still identify common attacks based on signature matching. With global cooperation, IPS can now download signatures automatically. The other types of attack identification include, anomaly based and sandboxing – heuristic. NIPS sit inline with inspected traffic and can react faster.
Protocol analyzers are specialized devices or software (e.g. Wireshark). The other name for these devices is sniffers. That can capture, analyze and trend application flows. They can be used for to create a network baseline. They are useful when you are need to drill into communication steam of an application to determine what is happening. For example you might have a performance problem and you need to point of where the delay happens. Or another case might be to see what type of communication is ongoing e.g DNS, HTTP, SSH and so on.
This technology, often found in email relays is used to filter unwanted messages arriving in our mailboxes. Besides filtering unwanted advertisements it can also prevent phishing emails and other communication that might contain malware. The other way around, communicating from inside to internet, it can use feature called Data Loss Prevention, which can prevent against accidentally leaking sensitive information outside of company.
Unified Threat Management (UTM) appliances
This is a general description of a device that can do multiple things at the same time. For example URL Filtering, Content Inspection, Malware protection and Web application Firewall. Checkpoint uses this term for products that can have these features activated by software blades.
Application aware devices
Another term that defines devices that can look at application data in packets. These devices include advanced firewalls, intrusion prevention and detection systems and proxy servers.
Wireless LAN Conrollers
Yes I admit it, this one is a bonus device in this category. Wireless LAN controllers provide centralized management of access point, from association and authentication to radio frequency management across many lightweight access points. The security highlights here are strong authentication for example using 802.1x TLS which is based on certificates. Some WLCs provide wireless IDS capabilities where they can detect rogue access points a.k.a evil twins – Stay tune for this one.
The last category of security devices include Virtual Private Network Concentrators or servers. These devices sits at network edge and extend our corporate network to employees on the move, contractors and partners. They use protocols such as PPTP, L2TP, IPSec and SSL/TLS to build a secure and encrypted tunnels between two parties over the Internet. They can define policies on how to authenticate user, what resources he is allowed to access and so on.
And that my friends, concludes the first article around Security+. If you made it so far have give yourself a tap on shoulder. I hope you enjoyed it. Feel free to comment and stay tuned for part 2, which will cover security admin principles.
Until then, may the force be with you.