CISSP Network Security from Hardware Devices – Bk1D4T1St5

The practice of information security in an organization consists of proficiency with numerous infrastructure and network components that deliver prevention, detection, and response capabilities. Collaboration with other network architects and engineers will be necessary to implement and operate a defense-in-depth technical control portfolio.

To understand several of the following devices, a working definitions of a few terms may be important. A broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at the data link layer. The broadcast originates from one system in the group and is sent to all other systems within that group. A collision domain consists of all the devices connected using a shared media where a collision can happen between devices at any time. A data collision occurs if two systems transmit simultaneously, attempting to use the network medium at the same time, with the effect that one or both of the messages may be corrupted.

The operation of network security devices will be impacted by many circumstances of data transfer across media. Security professionals design and manage networks with consideration of forces that help or hinder the signal. Collisions and broadcasts must  be managed, as they are significant influencers of data transfer success. With respect to the OSI model, collision domains are divided by using any data link layer (layer 2) or higher device, and broadcast domains are divided by using any network layer (layer 3) or higher device. When a domain is divided, it means that systems on opposite sides of the deployed device are members of different domains.

Repeaters, Concentrators, and Amplifiers

Repeaters, concentrators, and amplifiers operate at the physical layer (layer 1). These simple devices serve to extend the maximum length a signal can travel over a specific media type. They connect network segments that use the same protocol and are used to connect systems that are part of the same collision domain or broadcast domain.

Hubs

Hubs, also known as multiport repeaters, are a physical layer (layer 1) technology. They work only with interconnected systems using the same protocol, in the same domain. They simply repeat inbound traffic over all outbound ports to make the devices act like a single network segment. Because they offer little security-related capability, they are typically prohibited in organizations and are replaced with switches. Hubs are mainly a legacy technology that have little modern use.

Tip The IEEE 802.3 Ethernet standard expresses disapproval for connecting network segments by repeaters or hubs.

Modems

To support computer communications, a device was needed to convert or modulate the digital information across an analog carrier of the signal. A modulator-demodulator, or modem, operates at the physical layer (layer 1) to support communications across public switched telephone network (PSTN) lines, often referred to as landlines. Modems were prevalent from 1960 until the mid-1990s to enable WAN communications and today are widely used in low-bandwidth environments such as building automation, SCADA, and industrial controls environments. In other applications, digital broadband technologies have evolved to replace modems. These include integrated services digital network (ISDN), cable modems, DSL modems, and 802.11 wireless devices. A key improvement in the evolution is the increased bandwidth and throughput modern devices enable. Capabilities like video streaming and teleconferencing are possible because of these advances.

Tip  A modem must perform modulation. Therefore, it is a common misnomer to call modern devices such as cable, DSL, ISDN, and wireless connection devices modems. They are actually routers. 

Bridges

This technology operates at the data link layer (layer 2). A bridge forwards traffic from one network to another. Unlike repeaters, which just forward received signals, bridges direct signals based on knowledge of MAC addressing. If a network uses the same protocol, a bridge can be used even if the networks differ in topologies, cabling types, and speeds. A buffer is used to store packets, using a store and forward capability until the packets can be released if the networks have differing speeds. Systems on either side of a bridge are part of the same broadcast domain but are in different collision domains. Some bridges use a spanning tree algorithm (STA) to prevent bridges from forwarding traffic in endless loops, which can result in broadcast storms. STAs are an intelligent capability for bridges to prevent looping, establish redundant paths in case of a single bridge failure, uniquely identify bridges, assign bridge priority, and calculate the administrative costs of each pathway.

NOTE Watch for broadcast storms on bridges, which can degrade network bandwidth and performance. The broadcast storms can happen when bridges are forwarding all traffic and become overwhelmed.

Switches

To combat the weaknesses of using hubs, switches are a better choice. A switch is an intelligent hub that operates at primarily the data link layer (layer 2), meaning the switch handles systems on the same broadcast domain, but different collision domains. How- ever, switches with routing capabilities can operate at the network layer (layer 3), providing both are in different broadcast and collision domains.

Able to comprise a level of addressing intelligence for destination systems, switches can discriminate and forward traffic only to the devices that need to receive it. Switches also provide efficient traffic delivery, create separate collision domains, and improve the overall throughput of data where the segments operate on the same protocol.

Switches can create separate broadcast domains when used to create VLANs. The switch segments the network into VLANs, and broadcasts are handled within the VLAN. To permit traffic across VLANs, a router would have to be implemented. Switches cannot accomplish this distribution.

Switches provide security services that other devices cannot. They look deeper into packets and can make granular traffic distribution decisions. By establishing and governing the VLANs, switches help to make it harder for attackers to sniff network traffic. Broadcast and collision information is contained; the valuable network traffic is not continually traveling through the network.

Routers

Routers are network layer (layer 3) devices. A router connects discrete networks using the same protocol, whereby a data packet comes in from one host on the first network, and the router inspects the IP address information in the packet header and determines the destination and best path. The router is able to decide the best logical path for the transmission of packets based on a calculation of speed, hops, preference, and other metrics.   A router has programmed routing tables or routing policies. These tables can be statically defined or manually configured. The other way the routing tables can be created and managed is dynamically through adaptive routing. A router has the ability to determine as it processes data how to best forward data. The router can select and use different routes or given destinations based on the up-to-date conditions of the communication pathways within the interconnections. When a temporary outage of a node is present, the router can direct around the failed node and use other paths.

As previously mentioned, there are numerous dynamic routing protocols, including BGP, OSPF, and RIP. It should be noted that static routing and dynamic routing are best used together. Sometimes dynamic routing information fails to be exchanged and static routes are used as a backup. Systems on either side of a router are part of different broad- cast domains and different collision domains.

Gateways

An important function of a gateway device is that it connects networks that are using different network protocols. They may be hardware devices or software applications, and they operate at the application layer (layer 7), but arguably also at the presentation layer (layer 6, where formats change). The gateway device transforms the format of one data stream from one network to a compatible format usable by the second network. Because of this functionality, gateways are also called protocol translators. Another distinction, gateways connect systems that are on different broadcast and collision domains. There are many types of gateways, including data, mail, application, secure, and Internet.

Proxies

A proxy is a form of gateway that performs as a mediator, filter, caching server, and even address translation server for a network. However, they do not translate across protocols. A proxy performs a function or requests a service on behalf of another system and connects network segments that use the same protocol. A common use of a proxy is to function as a NAT server. NAT provides access to the Internet to private network clients while protecting those clients’ identities. When a response is received, the proxy server determines which client it is destined for by reviewing its mappings and then sends the packets on to the client. NAT allows one set of IP addresses to be used for traffic within a private network and another set of IP addresses for outside traffic. Systems on either side of a proxy are part of different broadcast domains and different collision domains.

Tip  Network tarpits, sometimes referred to as teergrube, the German word for tarpits, may be found on network technologies like a proxy server. Basically, a tarpit is a service that purposely delays incoming connections to deter spamming and broadcast storms.

LAN Extenders

This is a multilayer switch used to extend network segment beyond the distance limitation specified in the IEEE 802.3 standard for a particular cable type. It can also implemented as a WAN switch, WAN router, repeater, or amplifier.

Wireless Access Points

These operate at the data link layer (layer 2). A wireless router is similar to a wired router in a network in that it also interrogates and determines the pathway and destination for a packet it receives. The wireless router also acts as an access point into   the wireless network, or wired network in integrated networks. However, the utility in wireless routers is their ability to allow portable endpoints to access the network, for example, notebooks, laptops, and smartphones. Wireless routers can operate on the 2.4 GHz and 5 GHz bands simultaneously in a multiband configuration and provide  data transfer rates of more than 300 Mbps on the 2.4 GHz band and 450 Mbps on the 5 GHz band. WAPs are discussed in detail earlier in the chapter in the “Wireless Net- works” section and its subsections.

Multiplexers

These are devices that support a process of integrating multiple analog and digital signals across one shared medium, like a coaxial or fiber-optic cable. The process is a more efficient and cost-effective approach than sending each signal on an independent channel.

Multiplexing is commonly shortened to muxing, and a multiplexer device may be called a mux. To reverse the process and separate the signals, a device called a demultiplexer, sometimes shortened to demux or dux, performs the reverse process to extract the original channels. With modern technology and cloud usage, multiplexers are not often used today.

Private Branch Exchange (PBX)

Private branch exchange (PBX) is a special-purpose telephone switch that is used as a private telephone network within a company or organization. The PBX can interface with multiple devices. Not long ago, the PBX was always a physical switch, but today most PBX functionality is software-based. Users of the PBX phone system can communicate internally within their company or organization or access external users. The   PBX expands capacity for more phones than what would be possible using physical phone lines that use the public switched telephone network (PTSN). Voice data is multiplexed onto a dedicated line connected to other telephone switching devices.

The PBX is able to control analog and digital signals using different communication channels like VoIP,  ISDN, or Plain Old Telephone Service (POTS). There are several security concerns with PBX implementation that security professionals need to assess. For instance, many PBX implementations still have modems attached to enable dial-up access for services like remote maintenance. Securing PBX implementations is discussed later in the chapter in the “Implement Secure Communication Channels According to Design” section.

Unified Threat Management (UTM)

Unified Threat Management (UTM) is a concept that integrates the functionality described in this chapter in each type of network and security device into a minimum number of multifunction devices. The goal is to move away from numerous devices that provide singular or point solutions to a simplified architecture and management of combination devices. Another benefit is simplified administration of vendor relationships and proprietary interconnections. Some of the earliest adopters of UTM are firewall, IDS, and IPS integrated devices. Next-generation devices and solutions bring together capabilities like web proxy and content filtering, DLP, VPN, and SIEM to name a few.  Some security professionals caution against UTM approaches, as they may erode the benefits of a defense in depth security approach.

Cloud Computing

Cloud computing is discussed in greater detail later in this chapter. However, in the context of device operations, cloud computing introduces new opportunities and challenges for security professionals. Cloud service providers offer the delivery of computer processing capabilities as a service rather than as a product. Shared resources, software, and information such as routers, switches, proxies, and gateways are available as a utility that is leased rather than owned. Cloud offerings designed to replace infrastructure, which used to be only found in a local data center, typically are not found in the cloud. Infrastructure pieces instead are positioned as services, such as firewall as a service (FaaS) or network as a service (NaaS). Organizations can reduce up-front costs of the hardware and software assets used to manage and secure networks. However, a security professional has to remember that using cloud computing resources does not eliminate responsibility for protecting assets shifted to the cloud computing model.

Endpoints

While managing network security with filtering devices such as firewalls and proxies is important, security professionals must also focus on security requirements for the computing endpoints. Endpoints are a general descriptive term for the various access and reporting devices that people use to connect to the internal and external networks. To be clear, an endpoint is simply any end device connected to the network. This can include a PC, a printer, a server, or even a piece of network infrastructure. Protecting the endpoints follows a strategic defense in depth strategy and is referred to as endpoint security. If there is a vulnerable endpoint, the risk is high it will be exploited and used to create additional network level damage.