MIT 420 Chapter 9 Removed-3

Module 09: Network
Security Appliances
& Technologies
Dr. Sikder Kamruzzaman

Professor in Networking and Cybersecurity
Learning Objectives
1) List the different types of network security

appliances and how they can be used
2) Describe network security technologies

Security can be achieved through appliances that
directly address security and by using the security
features in standard networking devices
Security
Appliances
Using both standard networking devices and security
appliances can result in a layered security approach
Intrusion detection
Deception Network hardware
Firewalls Proxy servers . and prevention
instruments security models
systems
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Firewalls (1
of 6)
Firewall Functions
A firewall uses bidirectional inspection to examine outgoing

and incoming packets
The actions are based on specific criteria or rules (called rule-
based firewalls)
A more flexible type of firewall is a policy-based firewall which
allows more generic statements instead of specific rules
Firewalls can also apply content/URL filtering
W” © Parental Controk: Profies - X
Rllers Access | Applications Privacy

Blodk these categories.
Add Profile
Select age: Ages8-12
Firewalls (2
8 Communication or Media
Chat
v Dating and personals
y explicit Instant Messaging
of 6 :
ex educaton Peer-to-peer
troversal
v Criminal activity
v O @ Shopping and Entertanment
v Hate and intolerance v Advertisements and popups
v al drugs v
v legal software v
v Plagarism (school work shopping
& Games
v
v
URL hist Safe websites Unsafe websites
neidl_rubenking@pamag. com
Shop Support
Figure 9-1 Content/URL filtering
Firewalls (3 * Firewall Categories
of 6) * Stateful vs. stateless:
* Open source vs. proprietary

* Hardware vs. software
* Host vs. appliance vs. virtual
Help protect your PC with Windows Defender Firewall
Windows Defender Firewall can help prevent hackers or malicious software from gaining access to your PC
through the Intermet or a network.
. e Private networks Connected
.
Networks at home or work where you know and trust the people and devices on the network
Firewalls (4 Incoming connections: Block all connections to apps that are not on the list
of allowed apps
O Active private networks: ¥ Network
Notification state: Notify me when Windows Defender Firewall blocks a

new app -
<)
3 = . 8
. 9 Guest or public networks Connected | S
s
Networks in public places such as airports or coffee shops 52
&,
Windows Defender Firewall state: On 5
Incoming connections: Block all connections to apps that are not on the list a
of allowed apps
Active public networks: None
Notification state: Notify me when Windows Defender Firewall blocks a

new app
Figure 9-3 Windows host-based firewall
Firewalls (5 | Switch
of 6)
il sssell @
Database Application
server server
Figure 9-4 Appliance firewall
* Specialized Firewall Appliances
* Web application firewall
* Network address translation gateway
Firewalls (6 * Network address translation (NAT) is a
of 6) technique that allows private IP addresses to
be used on the public internet
* Next generation firewall
* Unified threat management (UTM)
* UTM is a device that combines several
security functions such as packet filtering,
antispam, antiphishing, antispyware,
encryption, intrusion protection, and web
filtering
Figure 1. Magic Quadrant for Network Firewalls
= ] L g
F . | |
Palo Ao Networks
fort @
®
0“. Check Poent Soware Technologes

L]
Huawel Suriges Heworks

e
Hiscee Netwods “’“‘.“"

A WochGusd @ Sophos
Verustoch Sogle @ [} €]
® P @ dmod
w
5
g Steematied Micsosclt
S ® )
g
>
= -
B I 8
COMPLETENESS OF VISION > As of November 2020 © Gartner, Inc
Source: https://go.fortinet.com/global-Ip/BSPtarh
Bt RSTR e walls
Activity - Check your Firewall
Security
& Privacy
Check the -
hOSt based flreWa" General FileVault Privacy
on your personal
@ Firewall: On
device and discuss
The firewall is turned on and set up to prevent unauthorized applications, programs, and
your observations services from accepting incoming connections.
Fir
W Windows Defender Frewsll - o x
4 @« System
and Securtty » Windows Defendes Firewall v | @ SeachControl Panel »
Bl Tiediica Help protect your PC with Windows Defender Firewall

Windows Defendes Firewall can help prevent hackers or mabcious software from gaiming a<cess 1o your
Allow an app or feature PC through the Intemet or » network.
through Windows Defender
ol P9 riore nevoris Not connected
@ Change notfication settings
Tum Windows Defender . © Guest or public networks Connected
Firewsll on or off
@ Restore defaults Metwarks in public places such 35 airports or coffee shops
O Aivmscad ettiogs Windows Defendes Frewal state: on
Fohiahetmy v lncoiaing connactions Block all connections 1o spps that are nct on the
st of allowed apps
Active public networks: ™ Newok
Netficaton state: Not#y me when Windows Defender Firewall
blocks
3 new app
Proxy Servers
(1 of 2)
A reverse proxy routes requests coming from an external network to

the correct internal server
A proxy server can provide a degree of protection
e It can look for malware by intercepting it before it reaches the internal endpoint
eIt can hide the IP address of endpoints inside the secure network so that only the
proxy server’s IP address is used on the open Internet
Forward proxy server Reverse proxy
P r‘ OX User makes replaces server routes to
request Source IP with its own IP correct server
Source IP = Source IP = Source IP =
Servers (2
Web
192.146.118.20 192.146.118.254 192.146.118.254 server 1
ot -8
IP =192.146.118.20 Forward proxy
server
e s
Internet Reverse proxy
server 123.org
IP=192.146.118.254 il
.‘71..;51“" sessll
e© server 3
Figure 9-5 Forward and reverse proxy servers
Dece pt Ion e By directing threat actors away from a valuable asset to
| nStru me ntS something that has little or no value
Network deception can involve creating and using

(1 of 3) honeypots and sinkholes
Honeypots
¢ A honeypot is a computer located in an area with limited

security that serves as “bait” to threat actors
e Two goals of using a honeypot:
e Deflect or redirect
e Discover
65727 64,025 3281 249 = 152
pt i O n :
D e Ce
Instruments 1]
2 of 3
Figure 9-6 Honeypot dashboard
aam Honeypots (continued) ————
» Different types of honeypots:

D ece pt | on ¢ A low-interaction honeypot may only contain a login prompt
* A high-interaction honeypot is designed for capturing more
|nstru ments information from the threat actor
¢ This type of honeypot can collect information from threat
(3 Of 3) actors about attack techniques or the particular
information they are seeking from the organization
¢ A honeynet is a network of honeypots set up with intentional
vulnerabilities
¢ A sinkhole is a “bottomless pit” designed to steer unwanted

traffic away from its intended destination to another device
* The goal is to deceive the threat actor into thinking the
attack was successful
* DNS sinkhole: Commonly used to counteract DDoS attacks.
Intrusion
Detection
and
Prevention Inline system is connected directly to the network and
Syste ms ( 1 Of monitors the flow of data as it occurs
3) A passive system is connected to a port on a switch, which

receives a copy of network traffic
IDS systems can be managed in different ways:
* In-band management is through the network itself by using network protocols

and tools
e Out-of-band management is using an independent and dedicated channel to
reach the device
* Monitoring Methodologies
Intrusion * Anomaly-based monitoring compares current
Detection detected behavior with baseline
* Signature-based monitoring looks for well-
and _ known attack signature patterns
Prevention * Behavior-based monitoring detects abnormal
Systems (2 of actions by processes or programs
3) » Alerts user who decides whether to allow or
block activity
* Heuristic monitoring uses experience-based
techniques
* Attempts to answer the question “Will this
do something harmful if it is allowed to
execute?”
Intrusion
Detection
and
Prevention
Systems (3 Of ¢ NIDS sensors installed on firewalls and routers
gather information and report back to central
3) device
A network intrusion prevention system

(NIPS) monitors to detect malicious
activities and also attempts to stop them
Network
Hardware
Security
I\/I Od u | es For endpoints, an HSM is typically a USB device, an expansion
card, or a device that connects directly to a computer through a
port
A network hardware security module performs cryptographic

operations such as key management, key exchange, onboard
random number generation, key storage facility, and accelerated
symmetric and asymmetric encryption
Configuration
Management
Basic configuration management
tools include:
e Secure baseline configurations
e Standard naming conventions
e Defined Internet Protocol schema
e Diagrams
Security Technologies
There are general security
technologies that can provide a
defense
Access technologies
Categories of security ~ Monitoringand

managing
technologiesinclude: technologies
Design technologies
ty+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
licly accessible website, in whole or in part.
* Access Control List (ACL)
An access control list (ACL) contains rules that
administer the availability of digital assets by granting
Access or denying access to the assets
Technologies Two types of ACLS include:
* Filesystem ACLs filter access to files and directories
(1 of 7) on an endpoint by telling the OS who can access the
device and what privileges they are allowed
* Networking ACLs filter access to a network
. Often found on routers
Router ACLs can be used on external routers to restrict
vulnerable protocols and limit traffic from entering the
network
Internal router ACLs are often configured with explicit
allow and deny statements for specific addresses and
protocol services
* Virtual Private Network (VPN)
* AVPN is a security technology that enables
authorized users to use an unsecured public
Access network (the Internet) as if it were a secure private
Technologies network
(2 Of 7) * Two common types of VPNs:
* A remote access VPN
* Asite-to-site VPN
* A full tunnel sends all traffic to the VPN
concentrator and protects it
* A split tunnel routes only some traffic over the
secure VPN while other traffic directly accesses the
Internet (this helps preserve bandwidth)
* The most common protocols used for VPNs are
IPsec and SSL
* Network Access Control (NAC)
NAC examines the current state of a system or network
device before it can connect to the network
Access Any device that does not meet a specified set of criteria
Technologies can connect only to a “quarantine” network where the
security deficiencies are corrected
(3 of 7) NAC uses software “agents” to gather information and
report back (called host agent health checks)
An agent may be a permanent NAC agent or a
dissolvable NAC agent that disappears after reporting
information to the NAC
The NAC technology can be embedded within a
Microsoft Windows Active Directory (AD) domain
controller
* NAC uses AD to scan the device (called agentless
NAC)
Quarantine network
5. If no Health
Certificate, client
A C C e S S sent to quarantine 2. Statement of Health sent
to Health Registration Antivirus server
Technologies assessment
Authority
Statement Health Registration

of Health
(4 of 7) . \
Authority
[cithe
4. Health Certificate presented
3. Health Certificate
issued to client Patch management
server
= el
to network server
f
Figure 9-7 Network access control (NAC) process
* Data Loss Prevention (DLP)
* DLP is considered as rights management, or the
authority of the owner of the data to impose
ACCGSS : restrictions on its use
Tech nO|Og|eS * DLP is a system of security tools that is used to
recognize and identify data that is critical to the
(5 of 7) organization
* Most DLP systems use content inspection which is
defined as a security analysis of the transaction
within its approved context
* An administrator creates DLP rules based on the
data and the policy
* These rules are loaded into a DLP server
* When a policy violation is detected by the DLP
agent it is reported back to the DLP server
* Data Loss Prevention (continued)
* When a server is notified of a policy violation different
ACCGSS actions can be taken:
. * Block the data
Technol ogles * Redirect it to an individual who can examine the request
(6 Of 7) e Quarantine the data until later
* Alert a supervisor of the request
* A process called tokenization obfuscates sensitive data
elements, such as an account number, into a random string
of characters (token)
* The original sensitive data element and the token are
stored in a database called a token vault so that if the
actual data element is needed, it can be retrieved as
needed
* Tokenization is illustrated in Figure 9-8 on the following
slide
User Data with tokenization
Alessia Oplontis Alessia Oplontis
SSN: 293-56-5094 SSN: 678-12-0508
Account: 9847230982 Account: 0283761435
Access
Technologies Plain text value | Token value
293-56-5094 678-12-0508
Hiieseell @
(7 of 7) 9847230982 0283761435
Token vault
Figure 9-8 Tokenization

Technologies * Port Security
for * Threat actors who access a network device through
. . an unprotected port can reconfigure the device to
Monitoring their advantage
a nd * Route security is the trust of packets sent through
a router
Managl ng (1 * False route information can be injected or
of 6) altered by weak port security
* Broadcast storm prevention can be accomplished
by loop prevention
* Loop prevention uses the IEEE 802.1d standard
spanning-tree protocol (STP)
» STP uses an algorithm that creates a hierarchical
tree layout that spans the entire network
Switch A
Segment 3
Segment 1
Technologies
fO r . Segment 2 .
Monitoring Switch B Switch C

and Managing
(2 of 6) Beta
Figure 9-9 Broadcast storm

Technologies
for » Analyzing packets helps to monitor network performance
Monitoring and reveal cybersecurity incidents
* Monitoring traffic on switches can be done in two ways:
and A separate port TAP (test access point) can be installed
Managing (3 Port mirroring (also called port spanning) allows the

administrator to configure the switch to copy traffic on
of 6) some or all ports to a designated monitoring port on the

switch
¢ An external third-party monitoring service can be used to

provide additional resources to assist an organization in its
cybersecurity defenses
Switch TAP Router
Technologies
for
Monitoring B
: Out-of-band monitoring
and Managing desi]
(4 of 6)
Figure 9-10 Port TAP
Switch RoiiteF
Technologies
for
Monitoring | .
and Managing Out-of-ba?gorlnonltorlng
(5 of 6)
Figure 9-11 Port mirroring
Technologies
for ¢ File integrity monitors examine files to see if they have
changed
Monitoring e File integrity monitors are used for detecting malware as
and well as maintaining compliance with industry-specific

regulations
Managing (6
of 6)
* QoS is a set of network technologies used to guarantee its
ability to dependably serve network resources and high-
priority applications to endpoints
* A network administrator can assign the order in which
packets are handled and the amount of bandwidth given
to an application or traffic flow (called traffic shaping)
» Almost all firewalls today recognize QoS settings
* Network Segmentation
De5|gn * Examples of network segmentation include virtual
TeChnOlogies LANs and a demilitarized zone
» Zero trust is a strategic initiative about networks
(1 Of 7) that is designed to prevent successful attacks
* It attempts to eliminate the concept of trust
from an organization’s network architecture
» Zero trust requires that networks be segmented
* A network can be segmented by separating devices
into logical groups by creating a virtual LAN (VLAN)
* VLANSs can be isolated so that sensitive data is
transported only to members of the VLAN
* Network Segmentation (continued)
* A demilitarized zone (DMZ) is a separate
Design ,
network located outside secure network
. perimeter
Technolog|es * Untrusted outside users can access DMZ but
(2 of 7) cannot enter the secure network
* A common approach to configuring a DMZ is to
use a jump box (sometimes called a jump
server or jump host)
* A jump box is a minimally configured
administrator server that connects two
dissimilar security zones while providing
tightly restricted access between them
Firewall Firewall
[
Internet Router | |
Switch . Switch .
Design
Technologies DMz
(3 of 7) Wil eseeli ®
{itesesll @
Miiessell @
il esosll @
LM eeseli @
sl @ el
Mileecell ®
eson il @
- IR ee-ei @ !_l. wene) (Tuene
Web Email Database Application
server server server server
Figure 9-12 DMZ with two firewalls

Firewall Firewall
& k
oo
[ E X N N ]
Internet Router |
Switch . Switch .
Design V—
Technologies g e o
- :-7” , Jump box A sessll @ o --o_ ne|
(4 of 7) III!I i !| .7
8y, Wil sseell @
e
Database
W
App;lication
i s6¢s ne Al ssoell @
%:&I_Iu- ne iseeell @
Web Email
server server
Figure 9-13 Jump box

* Load Balancing
* Load balancing is a technology that can help to
evenly distribute work across a network and can
DeSlgfl allocate requests among multiple devices
i
ecnnologies * Advantages of load-balancing technology:
* Reduces probability of overloading a single
(5 Of 7) server
* Optimizes bandwidth of network computers
* Load balancing is achieved through software or
hardware device (load balancer)
¢ Different scheduling protocols used in load
balancers:
* Round-robin
* Affinity
* Load Balancing (continued)
* When multiple load balancers are used together, they
can be placed in different configurations that include:
Design * In an active-passive configuration, the primary load
TeCh no | Ogies balancer distributes the network traffic to the most
suitable server, while the secondary load balancer
(6 Of 7) operates in a “listening mode”
* In an active-active configuration, all load balancers
are always active
* Load balancing can also support session persistence,
which is a process in which a load balancer creates a
link between an endpoint and a specific network server
for the duration of a session
* This can help improve the user experience and
optimize network resource usage
_ * Load Balancing (continued)
Design - Security advantages of using a load balancer:
Tech nologies * They can detect and stop attacks directed at
a server or application
(7 of 7) * Can also
PP
detect
and prevent protocol attacks
* Some load balancers can hide HTTP error
pages or remove server identification
headers from HTTP responses, denying
attackers additional information about the
internal network
Load Balancers
fi Web Server 1
Web Server 3
summary
A computer firewall is designed to limit the spread of malware
Stateless packet filtering on a firewall looks at a packet and
permits or denies it based solely on the firewall rules
Summary (1 * Stateful packet filtering uses both the firewall rules and the
state of the connection
of 2) There are several specialized firewall appliances: a web
application firewall (WAF), a next generation firewall (NGFW),
unified threat management (UTM) device
A forward proxy is a computer or program that intercepts user
requests from the internal network and processes these
requests on behalf of the user
A honeypot is a computer located in an area with limited
security that serves as “bait” to threat actors
An intrusion detection system (IDS) can detect an attack as it
occurs, an intrusion prevention system (IPS) attempts to block
the attack
A network hardware security module is a special trusted
network computer that performs cryptographic
operations such as key management, key exchange,
onboard random number generation, key storage facility,
Summa ry (2 and symmetric and asymmetric encryption
f 2 * An access control list (ACL) contains rules that administer
the availability of digital assets by granting or denying
access to the assets
* Network access control (NAC) examines the current state
of an endpoint before it can connect to the network
* Data loss prevention (DLP) is a system of security tools
used to recognize and identify data critical to the
organization and ensure that it is protected
* Broadcast storm prevention can be accomplished by loop
prevention, which uses the IEEE 802.1d standard
spanning-tree protocol (STP)
Due to nature of the course, various
materials have compiled from different
internet-based resources with some
modification. | sincerely acknowledge their
hard work and contribution.
Any Questions
ddddd ; = nqwa 0n(e
- REIEE: tsabh 8081,=
cnacv
gB
n6omm
filos Mu._ Nmum dank]fl ""“'"
rnatundu
aaaaa
h-:'S —mm manana
it cei
==
.=E“
% mmsmuc chakkeram
=1 M—z%‘fimfiifidhkm“’:fl“ aigaaibhlo maithdakujemagae t -
U == e
flh“fla 0" gzotn,b m,5 3 ok Mot o k2 £ MEPCH
;«zw*wwii
‘“‘ 1}‘] ]L
‘le m
e[ cl

MIT 420 Chapter 9 Removed-3

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MIT 420 Chapter 9 Removed-3

Uploaded by

Copyright:

Available Formats

Module 09: Network

Dr. Sikder Kamruzzaman

1) List the different types of network security

2) Describe network security technologies

A firewall uses bidirectional inspection to examine outgoing

Rllers Access | Applications Privacy

URL hist Safe websites Unsafe websites

Figure 9-1 Content/URL filtering

* Open source vs. proprietary

. e Private networks Connected

O Active private networks: ¥ Network

Notification state: Notify me when Windows Defender Firewall blocks a

Active public networks: None

Notification state: Notify me when Windows Defender Firewall blocks a

Figure 9-3 Windows host-based firewall

Figure 9-4 Appliance firewall

0“. Check Poent Soware Technologes

Huawel Suriges Heworks

Hiscee Netwods “’“‘.“"

W Windows Defender Frewsll - o x

Bl Tiediica Help protect your PC with Windows Defender Firewall

A reverse proxy routes requests coming from an external network to

A proxy server can provide a degree of protection

Figure 9-5 Forward and reverse proxy servers

Network deception can involve creating and using

¢ A honeypot is a computer located in an area with limited

Figure 9-6 Honeypot dashboard

» Different types of honeypots:

¢ A sinkhole is a “bottomless pit” designed to steer unwanted

3) A passive system is connected to a port on a switch, which

IDS systems can be managed in different ways:

* In-band management is through the network itself by using network protocols

A network intrusion prevention system

A network hardware security module performs cryptographic

Categories of security ~ Monitoringand

Statement Health Registration

Figure 9-8 Tokenization

Monitoring Switch B Switch C

Figure 9-9 Broadcast storm

Managing (3 Port mirroring (also called port spanning) allows the

of 6) some or all ports to a designated monitoring port on the

¢ An external third-party monitoring service can be used to

and well as maintaining compliance with industry-specific

Figure 9-12 DMZ with two firewalls

Figure 9-13 Jump box

You might also like