Network Security Architecture (Part 1)
Embarking on a journey through the intricate landscape of Network Security Architecture, our story begins with Part 1 — a tale of vigilant guardians and fortified defenses.
1. Intrusion Detection System
Let’s get started. An intrusion detection system also known as IDS is an alarm system for your network. We have two broad types of intrusion detection systems, and these are host-based and network-based.
The key point to remember about an intrusion detection system is that it just monitors and alerts for signs of an attack. It’s not going to take any action on any of the alerts that happen other than letting you know that it happened. Signature-based which works like an antivirus has a database of signatures and if something matches one of those signatures, it will trigger. Anomaly-based, looking for things that are out of the ordinary, and behavior-based which is very similar, it monitors a baseline of what behavior is normal on a network or a device, and when it sees things that are outside of that normal behavior then it will trigger an alert.
2. Wireless Intrusion Detection
Wireless intrusion detection systems or WIDS. These devices are looking for attacks on a wireless network. For example, looking for rogue access points or evil twins, looking for devices that are on the network that are not supposed to be there, any signs of a denial-of-service attack, or MAC address spoofing.
The device at the top is a Hak5 Wifi Pineapple. These devices are purpose-built to perform these types of attacks for penetration testing on a network. The device below is a pocket Deauther.
This device can send the authorization frames to a wireless access point to kickoff clients. When those clients re-establish, the handshake is captured, this can be taken offline and cracked, and then you have the password for the network. It can also be used as a denial-of-service attack device blocking all clients from connecting to a network.
3. Intrusion Prevention System
Intrusion prevention systems or IPS take this a step further. They do the same thing as intrusion detection systems, but once something is detected, they will take action on it. For example, they can reset connections or even block traffic altogether. The key point to remember about an intrusion prevention system is that it must be placed inline on the network to monitor traffic. If it can’t see all of the traffic on the network, then it can’t take action when it detects something. Wireless intrusion prevention systems can go as far as to block different clients from being on the network and stopping denial of service attacks.
4. Traffic Mirroring
This is also known as port mirroring or SPAN ports. This is where you allow another switch port to intercept all of the traffic on the switch. On switches, traffic typically goes to one port only so if you want to see all the traffic that’s going through the switch, you have to build a mirror using something like this:
This allows you to sniff all the traffic on the network, you could run it through a protocol analyzer such as Wireshark or pipe it into your network intrusion detection system so that they can see everything.
5. Perimeter Security Devices
- Router
The first one, which you probably all are familiar with is a router. A router in its most basic sense, forge traffic from one network to another by checking IP addresses. But in doing that, it can determine should this traffic be forwarded, should it be blocked, should it be sent somewhere else. We can do that with an access control list. routers are often the first line inside the network of defense by preventing traffic from going to different places.
- Load Balancers
Load balancers inspect the incoming web traffic, and then it will redirect it to the available web servers behind it. This is usually associated with availability and fault tolerance.
6. Network Address Translation (NAT)
If you’re using a router at your house, maybe the one that your internet service provider gave you, or you bought a tp-link or that type of device, then you’re probably using NAT. Network address translation allows you to have a private subnet behind the device. These are the IP addresses that we’re all familiar with seeing, 192.168.0.0.0 type networks. The NAT will translate those private addresses into the WAN address and allow it to go out on the Internet. But on the Internet side, it only appears as if you have one IP address, your WAN public IP address.
7. Forward/Transparent Proxy
The key to remember about these is that they are working from inside the network. The key to remember about these is that they are working from inside the network. When a client on the inside of the network wants to go to a particular webpage, they first go to the proxy, and then the proxy will request that for the client and send it back. Everything is routed through the proxy. This allows the proxy to intercept the traffic and see if there’s anything malicious in it, but it also allows it to deny clients access to sites that may not be approved for those clients to surf to. Proxies also have to understand the protocol that they’re going to be handling. Multipurpose proxies can handle several protocols such as HTTP, FTP, and SMTP.
8. Reverse Proxy
A reverse proxy is the exact opposite. This is for traffic on the outside of the network coming in. It can be used to improve the performance of a website because it can cache data and send the data faster to clients. It’s in line with traffic, and it has to be between the clients, and the requesting server going from the outside in. Reverse proxies are outside in, transparent proxies are inside out.
9. Firewalls
A firewall is a device that filters traffic that passes through it. This is done by looking at the source of the traffic, the destination, the protocol, and the ports that it wants to go to. From there, the firewall will decide on what it needs to do with that particular traffic. For example, if we have a website to port 80 behind the firewall, the firewall may allow all traffic to port 80 to be forwarded over to that IP address of the webserver behind the firewall. It’s really good for doing this type of direct traffic, sending to a particular server, or blocking everything based on rules. But if you want something more complex such as looking at the actual content of the traffic coming through, you need a more robust device. That brings us to Firewalls Cont.
10. Firewalls Cont.
- Unified Threat Management (UTM): adds additional capacity to a firewall with content filtering, spam filtering, antivirus scanning on traffic, and web filtering.
- Next-Generation Firewall (NGFW): able to inspect higher-level protocols such as HTTP to aid in protecting against malicious traffic. Able to inspect the protocol as it passes the device and make decisions on the traffic.
11. Web Application Firewall (WAF)
These act as a shield to a website; they’re very specific for protecting web servers from a wide range of attacks. But some examples would be SQL Injection, cross-site scripting, cross-site request forgery, file inclusion, and directory transversal. There are several attacks that these can protect from, but these are the most common. We have three basic types of WAF devices:
- Network-based: a separate host or VM, the most expensive but offers the most flexibility.
- Host-based: software that runs on the host that is being protected. Inexpensive but is complicated to configure. ModSecurity is an example.
- Cloud-based: delivered via a cloud platform, is less expensive, and offers expert implementation with low maintenance.
12. Virtual Private Networks (VPNs)
The most basic use of VPN is to connect two networks. So, if you have a remote office in one city and the main office in another, you can create a virtual private network, which is an encrypted tunnel between the two, allowing the two networks to be able to communicate with each other securely across the internet. Here are some common VPN protocols: OpenVPN, IPSec, L2TP, Wire Guard, SSTP, etc.
13. Network Access Control
These devices create a baseline for what every device that’s connected to the network should adhere to. So for example, the patch level must have an antivirus program that’s on the expected list and it must be updated. Maybe you have to have a host firewall enabled. When a device is plugged into the network, if it doesn’t meet the standards, it will not allow the device to connect. This way you’re only allowing access to the network, to trusted devices.
14. Security Information and Event Management (SIEM)
This is the security software that collects data from a multitude of sources on your network. For example, it may collect data from your firewall, your endpoints, your domain controllers, and many other types of devices and bring them all into one source and then look at all of that data at one time to spot patterns of an attack. So for example, seeing one fallen user login on one machine might not be a big deal. But if it happened across 20 machines at the same time, that might be indicative of an attack. The SIEM would be able to talk all of that data in and then alert you to it so that you can take further action. SIEM typically has the following functions aggregation, correlation, alerting, visibility, compliance, and data retention.
15. Activity and Traffic Sensors cont.
NetFlow, and S flow. These are network protocols for capturing network traffic for analysis. We also have fallen integrity monitoring. This ensures that the files on different devices or endpoints haven’t changed. This is looking for signs of malicious attacks, where an attacker would come in and make changes to specific system files, such as DLL files on Windows machines. A file integrity monitoring system ensures that this hasn’t been done.
- Simple Network Management Protocol: This operates on UDP ports 161 and 162. This is a very common system for monitoring and managing network infrastructure. Switches, routers, firewalls, and sometimes even actual workstations will have SNMP. It consists of 2 parts, which are the monitors and the agents. If you’re not using SNMP on your network or if a device doesn’t need it, it’s highly recommended that you disable it because a lot of information can be gleaned from querying an SNMP daemon that’s running on a particular system.
- Data Loss Prevention: This is software that’s designed to protect the data that’s on a network. Once the sensitive data on a network has been defined, you can allow different levels of access to that data who is allowed to access it, and then what they’re able to do with it. For example, are they able to print? Are they able to copy it? Are they able to email it? That type of thing. We can set rules up for all users to ensure that data is not exfiltrated from the network improperly.
16. Distributed Denial-of-Service (DDoS) Protection
This has become a massive problem in our industry where different websites are under attack, and there are some things we can do about it to help prevent those attacks from causing outages of our web resources.
- Rate Limiting: this reduces the amount of throughput that goes to the server. So that way the total bandwidth is not being used.
- WAF: We can put a web application firewall in line to prevent the traffic from actually reaching the web server.
- Blackhole Routing: We can do black hole routing, which drops all inbound traffic that is destined to the endpoint, in this case, a web server.
- Cloud Service Providers: We can use cloud service providers like Cloudflare that route all traffic. We ran all traffic through them first and then handled it before it ever reached our website.
- DDoS Mitigation Software: We can also use DDoS mitigation software or an appliance, which is a purpose-built device to help us prevent this type of attack on our web servers.
Conclusion
In conclusion, a robust network security architecture, incorporating IDS, WIDS, IPS, Traffic Mirroring, and various perimeter security devices, is essential for protecting digital assets from cyber threats. Firewalls, UTM, NGFW, WAFs, VPNs, Network Access Control, SIEM, and DDoS protection contribute to a comprehensive defense strategy. Stay tuned for Part 2, where we’ll explore encryption, endpoint security, cloud security, and emerging technologies to further enhance your network’s resilience.