Open in app

Sign in

Write

Sign in

IT Security Foundations: Network Security — Notes

Amani Benaoun
9 min readSep 1, 2021
Photo by Alina Grubnyak on Unsplash

Today’s article is a collection of my notes while attending the LinkedIn course entitled “IT Security Foundations: Network Security”. It is the 4th of 12 course courses in the “Become an IT Security Specialist” learning path. The course is divided into 6 sections which are:

  • Security Devices.
  • Network Isolation.
  • Avoiding Attacks.
  • Using Secure Protocols.
  • Client Protection.
  • Physical Security.

Security Devices

A firewall is a hardware or software-based method to control incoming and outgoing traffic, and is based on a set of rules that either permit or deny traffic on a network or host. Firewalls give the administrator greater control over the types of traffic originating from inside and outside the protected network. Firewalls ensure access control between networks by using access control lists that filter traffic and monitors established traffic patterns. Most support packet filtering, stateful packet inspection, and some offer network address translation. A router firewall can provide straightforward firewall features that block or allow certain IP addresses and port numbers, and they use Network Address Translation to mask private IP addresses. High-end hardware firewalls are dedicated appliances that provide high performance for small and mid-sized businesses, and also provide edge protection and critical infrastructure environments without reducing network performance.

Rules can be set on each interface for ingress and egress filtering. Ingress filtering filters traffic coming in. Egress filtering prevents packets from leaving the network. Egress filtering may stop malware from connecting to command server, it also can block unwanted services and limit contributions to DDoS attacks.

A honeypot is a system set up to lure a would-be attacker. This mimics the real system so that you can better observe an attacker’s behavior. A honeypot is also used to gather forensic evidence that may be required to aid in the apprehension or prosecution of intruders. Information gathered from the logs of honeypot can detect whether the attacker is a human or an automated system. It can also reveal the location of the target and their target. Best practices when setting up a honeypot:

  • Keep the system as generic as possible.
  • Put interesting data in the system
  • Don’t use too many traps.

Keeping the operating system and applications updated is a first line of defense. Many times updates will resolve issues on operability and reduces the vulnerabilities.

Best practices to harden your system are:

  • Use anti-viruses and anti-spyware protection.
  • secure email systems.
  • Backup and secure data files.
  • Use strong passwords.
  • Update the OS and apps.
  • Disable unused accounts.
  • Disable unwanted services.
  • Remove unnecessary programs.

Network Isolation

Segmenting the network using routers and VLANs provides an extra layer of isolation and protection. Switches are layer 2 devices that use MAC addresses to identify hosts. Routers route traffic between networks using an IP address. A virtual local area network (VLAN) treats the hosts as if they are all part of the same sub-network, while logically separating networks within networks, creating smaller broadcast domains. Although it seems as if a VLAN is on the same network, each VLAN is a separate sub-network with its own IP address. VLANs offer a number of advantages over traditional LANs. Performance is improved by reducing broadcasts and multicasts by creating smaller broadcast domains. Using a VLAN for Voice over IP can treat the Voice over IP traffic differently and prioritize the traffic. This will help prevent delays in delivering voice packets and reduce latency and jitter.

Server and domain isolation provides an additional layer of protection by requiring IPsec authentication and encryption for communication within the domain. Computers within the domain can communicate with one another, but computers outside of the domain cannot initiate communication within the domain. Key players in isolation include:

  • IPsec: Internet Protocol Security can provide a policy-based IP security that provides peer authentication. It is a framework that provides a set of security processes.
  • Active Directory: is a directory service that is part of the Windows server operating system that provides authentication and authorization to systems and services on a network.
  • Kerberos: is the protocol built within Active Directory that provides strong authentication and is built on symmetric key encryption. Kerberos is used by IPsec for internet key exchange and authentication.

A perimeter network allows an organization to deploy public services such as email and web servers, while isolating the internal network. Isolation occurs by configuring a demilitarized zone DMZ or screened subnet where the traffic is filtered by a firewall placed in between the outside world and the local area network. Honeypots can be placed in the DMZ to trap hacking attempts.

IPv4 has a 32 bit address represented in dotted decimal format. A method called private IP addresses was adapted to provide IP addressing for inside a local area network in order to conserve address space. There are 3 classes of private IP addresses:

  • Class A: 10.0.0.0–10.255.255.255 (usually used for large companies)
  • Class B: 172.16.0.0–172.31.255.255
  • Class C: 192.168.0.0–192.168.255.255

In order to connect to the internet, the traffic must go through a NAT router which will translate the private IP address into a public IP address.

Avoiding Attacks

The OSI model has 7 layers, there are attacks in every layer:

  • Application: software attacks exploiting code weaknesses, phishing malware, …
  • Presentation: forced browsing failure, unicode vulnerability, SSL/TLS strip, …
  • Session: session hijacking, SIP flood, DNS poison,…
  • Tranpsort: Port scanning, SYN flood,..
  • Network: OS fingerprinting, ICMP attacks, …
  • Data Link: Network sniffing, ARP cache poisoning,…
  • Physical: theft of devices, skimming attacks,…

There are a number of password attacks like:

  • Brute force: trial of all possible combinations.
  • Dictionary attack: a list of common passwords are tried.
  • Password resetting.
  • Password sniffing: obtain the password or the hash via packet analysis.

To defend against password attacks, stay away from common passwords, use multi-factor authentication, change your passwords periodically and use a password manager.

Network sniffing uses a packet sniffer, network monitor, or analyzer. The sniffer captures the packets and deciphers the bits. It then displays the field values in the packet. Sniffing can also be used as a reconnaissance technique. Sniffing can be done on a wired or wireless network. If the traffic is in plaintext and not encrypted while in transit, the contents can be read. And if attacker has physical access to a device, they can tap into the data stream to see even more of the traffic.

Protocol spoofing is when a malicious party impersonates another entity on the network with the objective of stealing data, spreading malware, or circumventing access controls. DNS spoofing will modify the DNS server cache. Spoofing IP address will hide the IP address of the attacker. Email spoof is used to make an email look like it’s coming from another source, mainly used in social engineering attacks.

Address resolution protocol ARP is used on a local network to associate an IP address with a hardware or MAC address. Poisoning the ARP cache is a man-in-the-middle attack that redirects traffic to an attacker’s computer. With ARP spoofing, a fake or spoofed MAC address is placed on the LAN. This then allows the attacker to redirect traffic to somewhere else in order to steal information by performing a man-in-the-middle attack.

Using Secure Protocols

Domain Name System DNS is an application layer protocol that resolves host names to an IP address and uses port 53 over UDP or TCP. When a client sends a query to a DNS server for an IP address. The server then responds with information but if it doesn’t have the answers, the DNS server can ask other servers for the information. DNS Security or DNS Security Extensions adds security to the Domain Name System. This is designed to protect against attacks, such as DNS cache poisoning. The extensions provide origin authentication of data and data integrity.

Internet Protocol Security IPsec, is a protocol suite for securing IP communications. IPsec can both encrypt and authenticate each IP packet of a session between hosts, traveling through a local area network, or across the Internet. IPsec provides security at the network layer. IPsec is a general framework that provides a set of security processes and has three main functions. The Encapsulating Security Payload, the Authentication Header, and key management. When using an IPsec VPN, IPsec provides flexibility in the way you implement IPsec, and what level of security is required. You can implement IPsec on host to host. IPsec can be implemented gateway to gateway. Or gateway to host.

Dynamic Host Configuration Protocol DHCP dynamically assigned IP addresses. The four-step process is discover, offer, request and acknowledge. When a host joins the network, it doesn’t have an IP address. So it begins the DHCP process by broadcasting a discover packet. The client can be a victim of DHCP spoofing as a reply can come from a legitimate server or a rogue DHCP server. When a client requests an IP address from a DHCP server, the client has no reassurance that the server is legitimate. In addition, the server has no way of knowing that the client requesting the address is a legitimate client on the network. To reduce the risk system administrators can authorize the DHCP servers in Active Directory, use VLAN access control list, use dynamic ARP inspection,…

Client Protection

There are multiple ways to get attacked by a virus:

  • Email attachments.
  • Drive-by download.
  • Downloading software.
  • Un-patched software.

Anti-virus run in the background and it is essential as viruses are designed to run in the background. Viruses can be embedded in micro (a series of repetitive events). Anti-viruses update their virus signatures regularly to defend against the latest viruses and malware. Different antivirus programs have different detection rates using both virus definitions and heuristics, some of which can result in more effective detection rates.

User account control is a feature in Windows that protects the security of the operating system. When a program wants to make a change, a dialogue box will open and prompt you to select whether or not you want the app to make changes. Prompting the user makes you take a second and think about what you’re doing and maybe will stop you from installing something that isn’t safe. This can help prevent the installation of malicious software.

Encryption File System EFS is simple a secure, it encrypts files and folders and for certain versions it will have a lock for an encrypted file.

Software restriction policies are used to protect clients by allowing only authorized software to run. Administrators can use software restriction policies to define what is trusted code. This protects clients and the organization so that malicious code is not allowed to run in your organization. AppLocker allows you to set rules on what programs are allowed based on group policy.

The Principle of Least Privilege states assign only the privileges needed to a program, process, or privileged user of a system for the shortest time necessary and in as small a domain as possible to complete a task without hindrance. Users and applications permissions should be granted according to the principle of least privilege to reduce the risk.

Virtual Private Network VPN is a secure channel or tunnel between 2 endpoints. It provides confidentiality, authentication and integrity. VPNs provide protection at data link, network transport and application layer of the OSI model. Commonly used VPNs include IPsec, SSH, SSL/TLS, MPLS, OpenVPN, and browser-based VPNs for consumers. Secure Shell SSH offers VPN tunneling and built-in username and password authentication to establish a connection to a single computer.

Physical Security

Physical security is often overlooked when preparing the security plan for an organization. There are guidelines online to follow when designing for security. Some of the goals of these guidelines are delaying the intruders as much as possible and responding as quickly as possible. Physical computer security involves preventing theft, destruction, or tampering of computers, network hardware, or devices. Some best practices for physical security are:

  • Secure access to buildings and rooms.
  • Audit services, users and administrators.
  • Secure backup media.
  • Protect printers.
  • Don’t leave computers unattended.
  • Use a laptop cable lock.
  • Set use password for IT portable devices.
  • Protect storage devices.

Access control is a framework comprised of methods and logical controls to ensure the confidentiality, integrity and availability of network resources. All access control model should follow the least privilege rule. A layered approach should be implemented according to the needs of an organization. Access control can be enforced in 3 main categories:

  • Administrative: enforcing rules through policies.
  • Logical: enforcing rules through access controls.
  • Physical: limiting physical access to hardware.
Cybersecurity
Security
Learning
LinkedIn
Course

--

--

Amani Benaoun

Written by Amani Benaoun

57 Followers

A Lifelong Learner

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams