Security+ Series Part 1: Network Security Devices

The first post in the Security+ series will cover network devices that help protect our infrastructure from black hats and as well as our own unaware users. It will give you a list of devices, their role and most common features they utilize.

So sit back, play some good music and as my virtual spinning instructor says, “take a deep breath this going to be taught”.

Random trivia: Foo Fighters played during article creation.

Firewalls

Firewalls are mostly used at network perimeter for zoning or security isolation between various segments such as Internet, Intranet and DMZ. They come in various forms and with different features. One of the basic services they provide is statefull traffic inspection. It means that the firewall keeps track of connections made from one zone to another and allows return traffic. This information is stored in state table. Other popular features include network address translation. Since many of modern web applications ride on top of HTTP(S), today firewalls provide also an application level visibility at L7 besides traditional inspection only at L3/L4. You are going to pay extra for this.

Checkpoint 12400 Series. All rights reserved.

WAFs

Web Application Firewall is a special type of device or service that understand the logic at L7 of OSI model. It can recognize and mitigate common web-based attacks. Some examples of these attacks include XSS, SQL Injections or other types of abuses toward web app input fields.

Barracuda’s Web Application Firewall 660

DDoS Protection

DDoS protection and mitigation is important if major of our business revenue depends on availability of your site. This service can have form of an appliance or a service that can be leased from third party company. One the the solutions out there is Prolexic, which is now part of Akamai. The way it works is that you direct your traffic through their infrastructure and during a DDoS attract this service will filter malicious traffic and allow only legitimate users connect to your services.

Bad guys will need to bypass Prolexic protection to reach your services.

Routers

Routers, from security point of view can provide some essential services as well. Depending on size of organization, these boxes may combine some firewall features, sacrificing some additional CPU cycles. Besides their primary duty, route packets, they can also have features such as Unicast Reverse Path Forwarding, which protect against spoofing attacks, for example someone on internet would interpersonal one of your internal hosts to redirect return traffic inside your network. Access Control Lists are another essential tool for policy enforcement. They allow you to permit or deny certain communication based on information at L3/L4 of OSI Reference model. Some routers have more advanced firewalling capabilities, such as Class-Based Access Control and Zone-Based Firewall, both can be found in Cisco’s IOS.

Cisco ISR 2921. All rights reserved.

Switches

Yes, also these little boxes that sit at our wiring closets can help securing the infrastructure. One of the most common features is called Port Security. It can protect against various types of attacks, such as CAM overflow where you can limit the number of allowed MAC addresses per port. I would not use this feature to prevent spoofing attacks, since MAC address can be change on host very easily. If you want to allow network access based on user identity, good approach is to go with 802.1x. This framework offers comprehensive set of features, where users need to authenticate before they can access your network. To prevent against MITM and DoS attacks at switched domain, DHCP snooping and Dynamic ARP Inspection can be helpful. DHCP Snooping tracks DHCP control communication and allows only trusted servers to hand out IP address. DIA is complementary feature and helps protects address resolution process, so attacker cannot respond on behalf of someone else on segment. These features work together.

There are many other control plane protocols at switch-level, for example, Spanning Three hardening is recommended. Look at features like BPDU and Root Guard.

Cisco Catalyst 2960+. All rights reserved.

Load Balancers

You many not know, but you are using load balancers every day. Sometimes these devices are called Application Delivery Controllers or Forward Proxies . Their primary role is to increase service availability by load-balancing traffic to multiple servers that all provide the same resources. Over the time, these devices evolved from this role to also provide services such as SSL/TLS offloading, Authentication Offloading, Advanced Health Checking, Global Traffic management, Caching, Compression and Application Firewall They operate at L3-L7 of OSI stack. SSL offloading is a feature that allows you terminate a secure tunnel and look at L7 data. Based on this data, you can forward it to right resource. For example a multinational company may have web presence in multiple languages and it can select the right pool of servers based on your geographic location.

F5 BigIP 2000. All rights reserved. Thumbs up for big red ball.

Proxies

Proxy servers are another useful device used for security enforcement. They usually sit between the Internet and Intranet, for example in DMZ. They are the middle mans that control what you are allowed to see and what not or even if you are allowed to out at all. These web-filtering policies use blacklisting or whitening approach. The companies that make these devices maintain a list of sites and their categories. For example gambling sites or social networking sites. Then, when you initiate connection from inside, your browser initiate a connection to proxy and the proxy then initiates connection to final destination. With the right configuration they can even intercept SSL/TLS traffic.

Other common jobs that these devices do are, content caching, network address translation, application level security and Internet usage reporting – top site hits, top talkers.

Bluecoat ProxySG 9000. All rights reserved. Look at the Cop logo it says it all.

Web Security Gateways

This term is used for device that can inspect application level traffic, for example advanced firewall, spam filters, or proxy can be called with this name.

NIDS/NIPS

Historically Network Intrusion Detection System were used to detect an attack targeted at services running on servers. This device would get a copy of each packet and compare its content against a predefined set of attack signatures. If a match is found, IDS can send an alert and sometimes send a TCP Reset to source or it can instruct other device to take an action – firewall, router. As you see the attack has already taken its place.

With today threats IDS approach is no longer feasible. Intrusion Prevention System evolved from IDS. It brings more features. it can still identify common attacks based on signature matching. With global cooperation, IPS can now download signatures automatically. The other types of attack identification include, anomaly based and sandboxing – heuristic. NIPS sit inline with inspected traffic and can react faster.

Sourcefire 3D8000. All rights reserved. This is the next-gen IPS puppy.

Protocol analyzers

Protocol analyzers are specialized devices or software (e.g. Wireshark). The other name for these devices is sniffers. That can capture, analyze and trend application flows. They can be used for to create a network baseline. They are useful when you are need to drill into communication steam of an application to determine what is happening. For example you might have a performance problem and you need to point of where the delay happens. Or another case might be to see what type of communication is ongoing e.g DNS, HTTP, SSH and so on.

Gigamon GigaVue 2404. All rights reserved. It seems that guys at Gigamon like orange a lot.

Spam filters

This technology, often found in email relays is used to filter unwanted messages arriving in our mailboxes. Besides filtering unwanted advertisements it can also prevent phishing emails and other communication that might contain malware. The other way around, communicating from inside to internet, it can use feature called Data Loss Prevention, which can prevent against accidentally leaking sensitive information outside of company.

Cisco IronPort C370. All rights reserved. Thumbs up for clean chassis design.

Unified Threat Management (UTM) appliances

This is a general description of a device that can do multiple things at the same time. For example URL Filtering, Content Inspection, Malware protection and Web application Firewall. Checkpoint uses this term for products that can have these features activated by software blades.

Application aware devices

Another term that defines devices that can look at application data in packets. These devices include advanced firewalls, intrusion prevention and detection systems and proxy servers.

Wireless LAN Conrollers

Yes I admit it, this one is a bonus device in this category. Wireless LAN controllers provide centralized management of access point, from association and authentication to radio frequency management across many lightweight access points. The security highlights here are strong authentication for example using 802.1x TLS which is based on certificates. Some WLCs provide wireless IDS capabilities where they can detect rogue access points a.k.a evil twins – Stay tune for this one.

Cisco WLC 5508. All rights reserved.

VPN Concentrator

The last category of security devices include Virtual Private Network Concentrators or servers. These devices sits at network edge and extend our corporate network to employees on the move, contractors and partners. They use protocols such as PPTP, L2TP, IPSec and SSL/TLS to build a secure and encrypted tunnels between two parties over the Internet. They can define policies on how to authenticate user, what resources he is allowed to access and so on.

Cisco ASA 5520. All rights reserved.

And that my friends, concludes the first article around Security+. If you made it so far have give yourself a tap on shoulder. I hope you enjoyed it. Feel free to comment and stay tuned for part 2, which will cover security admin principles.

Until then, may the force be with you.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s