CISSP Secure Network Components – Bk2D4T10

Module Objectives
  1. Recognize relevant network components used to secure communications and differentiate use based upon requirements.
  2. Demonstrate use of secure network components as countermeasures in response to specific threats associated with the Open Systems Interconnection (OSI) model layers 1–7.

Firewalls

Secure Network Components in this the firewalls will not be effective right out of the box. Firewall rules must be defined correctly not to inadvertently grant unauthorized access. Like all hosts on a network, administrators must install patches to the firewall and disable all unnecessary services. Also, firewalls offer limited protection against vulnerabilities caused by applications flaws in server software on other hosts. For example, a firewall will not prevent an attacker from manipulating a database to disclose confidential information.

Firewalls filter traffic based on a rule set. Each rule instructs the firewall to block or forward a packet based on one or more conditions. For each incoming packet, the firewall will look through its rule set for a rule whose conditions apply to that packet and block or forward the packet as specified in that rule. Below are two important conditions used to determine if a packet should be filtered.

  • By address: Firewalls will often use the packet’s source or destination address, or both, to determine if the packet should be filtered.
  • By service: Packets can also be filtered by service. The firewall inspects the service the packet is using (if the packet is part of the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP), the service is the destination port number) to determine if the packet should be filtered. For example, firewalls will often have a rule to filter the Finger service to prevent an attacker from using it to gather information about a host. Filtering by address and by service are often combined in rules. If the engineering department wanted to grant anyone on the LAN access to its web server, a rule could be defined to forward packets whose destination address is the web server’s and the service is HTTP (TCP port 80).

Firewalls can change the source address of each outgoing (from trusted to untrusted network) packet to a different address. This has several applications, most notably to allow hosts with RFC 1918 addresses access to the internet by changing their private address to one that is routable on the internet. A private address is one that will not be forwarded by an internet router and, therefore, remote attacks using private internal addresses cannot be launched over the open internet. Anonymity is another reason to use network address translation (NAT). Many organizations do not want to advertise their IP addresses to an untrusted host and, thus, unnecessarily give information about the network. They would rather hide the entire network behind translated addresses. NAT also greatly extends the capabilities of organizations to continue using IPv4 address spaces.

Static Packet Filtering

When a firewall uses static packet filtering, it examines each packet without regard to the packet’s context in a session. Packets are examined against static criteria, for example, blocking all packets with a port number of 79 (finger).

Because of its simplicity, static packet filtering requires very little overhead, but it has a significant disadvantage. Static rules cannot be temporarily changed by the firewall to accommodate legitimate traffic. If a protocol requires a port to be temporarily opened, administrators must choose between permanently opening the  port and disallowing the protocol.

Stateful Inspection or Dynamic Packet Filtering

Stateful inspection examines each packet in the context of a session that allows it to make dynamic adjustments to the rules to accommodate legitimate traffic and block malicious traffic that would appear benign to a static filter. For example, if a user sends a Syn request to a server and receives a Syn Ack back from the server, the next appropriate frame to send is an Ack. If the user sends another Syn request, the stateful inspection device will see and reject this next “inappropriate” packet.

Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, along with malware awareness and prevention. NGFWs are not the same as intrusion prevention system (IPS) stand-alone devices or even firewalls that are simply integrating IPS capabilities. Included in what is called the third generation of firewall technology is in-line deep inspection of traffic, application programming interface (API) gateways, and Database Activity Monitoring.

Intrusion Detection and Prevention Systems (IDS/IPS)

Intrusion detection systems (IDSs) monitor activity and send alerts when they detect suspicious traffic. There are two broad classifications of IDS/IPS:

  • Host-based IDS/IPS: Monitor activity on servers and workstations.
  • Network-based IDS/IPS: Monitor network activity. Network IDS services are typically stand-alone devices or at least  independent blades within network chassis. Network IDS logs would be accessed through a separate management console that will also generate alarms and alerts.

Currently, there are two approaches to the deployment and use of IDSs. An appliance on the network can monitor traffic for attacks based on a set of signatures (analogous to antivirus software), or the appliance can watch the network’s traffic for a while, learn what traffic patterns are normal and send an alert when it detects an anomaly. Of course, the IDS can be deployed using a hybrid of the two approaches as well.

Independent of the approach, how an organization uses an IDS determines whether the tool is effective. Despite its name, the IDS should not be used to detect intrusions because IDS solutions are not designed to be able to take preventative actions as part of their response. Instead, it should send an alert when it detects interesting, abnormal traffic that could be a prelude to an attack.

For example, someone in the engineering department trying to access payroll information over the network at 3 a.m. is probably very interesting and not normal. Or, perhaps a sudden rise in network utilization should be noted.

Intrusion systems use several techniques to determine whether an attack is underway:

  • Signature or pattern-matching systems examine the available information (logs or network traffic) to determine if it matches a known attack.
  • Protocol-anomaly-based systems examine network traffic to determine if what it sees conforms to the defined standard for that protocol; for example, as it is defined in a Request for Comment (RFC).
  • Statistical-anomaly-based systems establish a baseline of normal traffic patterns over time and detect any deviations from that baseline. Some also use heuristics to evaluate the intended behavior of network traffic to determine if it intended to be malicious or not. Most modern systems combine two or more of these techniques together to provide a more accurate analysis before it decides whether it sees an attack or not.

In most cases, there will continue to be problems associated with false- positives as well as false-negatives. False-positives occur when the IDS or IPS identifies something as an attack, but it is in fact normal traffic.

False-negatives occur when the IPS or IDS fails to interpret something as an attack when it should have. In these cases, intrusion systems must be carefully “tuned” to ensure that these are kept to a minimum.

An IDS requires frequent attention. An IDS requires the response of a human who is knowledgeable enough with the system and types of normal activity to make an educated judgment about the relevance and significance of the event. Alerts need to be investigated to determine if they represent an actual event, or if they are simply background noise.

Whitelisting/Blacklisting

Whitelisting/blacklisting: A whitelist is a list of email addresses and/or internet addresses that someone knows as “good” senders. A blacklist is a corresponding list of known “bad” senders. So, an email from an unrecognized sender is neither on the whitelist or the blacklist and, therefore, is treated differently. Greylisting works by telling the sending email server to resend the message sometime soon. Many spammers set their software to blindly transmit their spam email, and the software does not understand the “resend soon” message. Thus, the spam would never actually be delivered.

Network Access Control (NAC) Devices

Port Address Translation (PAT)

An extension to network address translation (NAT), which translates all addresses to one externally routable IP address, is to use port address translation (PAT) to translate the source port number for an external service. The port translation keeps track of multiple sessions that are accessing the internet.

Proxy Firewall

A proxy firewall mediates communications between untrusted endpoints (servers/hosts/clients) and trusted endpoints (servers/ hosts/clients). From an internal perspective, a proxy may forward traffic from known, internal client machines to untrusted hosts on the internet, creating the illusion for the untrusted host that the traffic originated from the proxy firewall, thus, hiding the trusted internal client from potential attackers. To the user, it appears that they are communicating directly with the untrusted server. Proxy servers are often placed at internet gateways to hide the internal network behind one IP address and to prevent direct communication between internal and external hosts.

Proxy Types

A circuit-level proxy creates a conduit through which a trusted host can communicate with an untrusted one. This type of proxy does not inspect the data field that it forwards, which adds very little overhead to the communication between the user and untrusted server. The lack of application awareness also allows circuit-level proxies to forward any traffic to any TCP and UDP port. The disadvantage is that the data field will not be analyzed for malicious content.

An application-level proxy relays the traffic from a trusted end-point running a specific application to an untrusted end-point. The most significant advantage of application-level proxies is that they analyze the data field that they forward for various sorts of common attacks such as buffer overflows. Application-level proxies add processing overhead.

Endpoint Security

Workstations should be hardened, and users should be using limited access accounts whenever possible in accordance with the concept of “least privilege.”

Workstations should have the following:

  • Up to date antivirus and anti-malware software
  • A configured and operational host-based firewall
  • A hardened configuration with unneeded services disabled
  • A patched and maintained operating system

While workstations are clearly what most people will associate with endpoint attacks, the landscape is changing. Mobile devices, such as smart phones, tablets etc., are beginning to make up more and more of the average organization’s endpoints. With this additional diversity of devices, there becomes a requirement for the security architect to also increase the diversity and agility of an organization’s endpoint defenses.

For mobile devices such as smart phones and tablets, consider the following:

  • Encryption for the whole device, or if not possible, then at least encryption for sensitive information held on the device
  • Device virtualization/sandboxing
  • Remote management capabilities including the following: o Remote wipe
    • Remote geolocate
    • Remote update
    • Remote operation
  • User policies and agreements that ensure an organization can manage the device or seize it for legal hold

Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/