Chapter -4 Network Security

Types of Computer Networks

• LAN : Local Area Network

• WAN – Wide Area Network

• WLAN – Wireless Local Area Network

• VPN – Virtual Private Network

• EPN – Enterprise Private Network

• PAN – Personal Area Network

• CAN – Campus Area Network

• MAN – Metropolitan Area Network

• SAN – Storage Area Network

• SAN – System-Area Network

• POLAN – Passive Optical Local Area Network

Networking Models

OSI Model

The OSI model (Open Systems Interconnection model) is a conceptual framework used to understand and standardize how different network protocols interact in a communication system. It divides network communication into seven distinct layers, each representing a specific function necessary for the successful transmission of data over a network.

Here are the seven layers of the OSI model, from the top layer to the bottom layer:

1. Application Layer: This is the topmost layer, responsible for providing network services directly to end-users or applications. It includes protocols like HTTP, FTP, SMTP, and DNS.

2. Presentation Layer: This layer handles data translation, encryption, and compression. It ensures that data is in a format that can be understood by the receiving system (e.g., converting between different character encodings or compressing data for transmission).

3. Session Layer: The session layer manages and controls the dialog between two devices. It establishes, maintains, and terminates connections or sessions. It ensures that data is properly synchronized and can be resumed if interrupted.

4. Transport Layer: This layer provides end-to-end communication and error correction. It ensures that data is transferred reliably and in the correct order. Protocols at this layer include TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

5. Network Layer: Responsible for routing data across different networks, the network layer handles logical addressing (e.g., IP addresses) and packet forwarding. The main protocol at this layer is IP (Internet Protocol).

6. Data Link Layer: This layer provides reliable data transfer over a physical link, including error detection and correction. It frames data into packets and handles MAC (Media Access Control) addressing. Protocols include Ethernet and Wi-Fi.

7. Physical Layer: The lowest layer, which deals with the transmission of raw data bits over physical media, such as electrical signals or light pulses. It includes hardware components like cables, switches, and network interface cards.

The OSI model helps to break down complex networking tasks into manageable layers, facilitating easier troubleshooting and the design of interoperable systems.

TCP/IP Model

The TCP/IP model (Transmission Control Protocol/Internet Protocol model) is a set of protocols used for communication over the internet and other networks. It is a more simplified and practical model compared to the OSI model, and it forms the foundation for the internet and most modern networking systems. The TCP/IP model consists of four layers, each corresponding to a specific function in network communication.

Here are the four layers of the TCP/IP model:

1. Application Layer:

   • This is the topmost layer, responsible for providing network services directly to end-user applications. It includes protocols that enable applications to communicate over a network, such as HTTP (for web browsing), FTP (for file transfer), SMTP (for email), and DNS (for domain name resolution).

   • This layer is roughly equivalent to the Application, Presentation, and Session layers of the OSI model.

2. Transport Layer:

   • This layer is responsible for ensuring reliable data transfer between devices. It provides end-to-end communication services for applications by managing data flow control, error correction, and retransmission of lost data.

   • The two main protocols at this layer are TCP (Transmission Control Protocol), which ensures reliable communication, and UDP (User Datagram Protocol), which is faster but does not guarantee reliability.

   • This layer corresponds to the Transport Layer in the OSI model.

3. Internet Layer:

   • The Internet layer is responsible for routing data across different networks and ensuring that packets are sent to the correct destination. This layer defines logical addressing (such as IP addresses) and handles packet forwarding through routers.

   • The main protocol in this layer is IP (Internet Protocol), which is responsible for addressing and routing packets. It also includes protocols like ICMP (Internet Control Message Protocol) and ARP (Address Resolution Protocol).

   • This layer corresponds to the Network Layer in the OSI model.

4. Link Layer (Network Interface Layer):

   • The Link layer deals with the physical transmission of data over a specific network medium, such as Ethernet or Wi-Fi. It defines how data is formatted into frames for transmission and handles access to the physical medium.

   • This layer corresponds to the Data Link and Physical layers of the OSI model.

Key Differences Between the OSI and TCP/IP Models:

• The OSI model is more theoretical and comprehensive, with seven layers, while the TCP/IP model is more practical, with only four layers.

• The OSI model separates functions like application formatting, session management, and data translation into distinct layers, while the TCP/IP model groups them all under the Application layer.

• The TCP/IP model is designed around practical, real-world communication over the internet, whereas the OSI model was designed to be a universal reference model.

In essence, the TCP/IP model focuses more on the protocols that drive the internet, whereas the OSI model is a broader conceptual framework for understanding networking.

IPv4 & IPv6

Address Length	32 bits (4 bytes)	128 bits (16 bytes)
Address Format	Dotted decimal notation (e.g., 192.168.1.1)	Hexadecimal notation (e.g., 2001:0db8:85a3::8a2e:0370:7334)
Number of Addresses	Approximately 4.3 billion (2^32)	Approximately 340 undecillion (2^128)
Addressing Scheme	Unicast, Broadcast, Multicast	Unicast, Multicast, Anycast
Header Size	20 bytes (minimum)	40 bytes (fixed)
Address Configuration	Manual or DHCP	Stateless Address Autoconfiguration (SLAAC) and DHCPv6
Fragmentation	Performed by both sender and router	Only performed by the sender (routers do not fragment)
Routing	More complex routing (e.g., NAT, CIDR)	Simplified routing with hierarchical addressing
Security	IPsec is optional	IPsec is mandatory for end-to-end encryption
NAT (Network Address Translation)	Required to address address exhaustion	Not needed due to the vast address space
Broadcast Support	Supports broadcast communication	Does not support broadcast (uses multicast instead)
Quality of Service (QoS)	Limited QoS support	Improved QoS support with Flow Label field
Transition Mechanisms	Dual Stack, Tunneling, NAT64, etc.	Dual Stack, Tunneling, NAT64, etc. (but better support for IPv6)
Application Support	Well-supported by existing applications	Increasingly supported by modern applications and services

---

Network Threats & Attacks

Network Threats:

Network threats refer to potential dangers or risks that could compromise the confidentiality, integrity, and availability of data or network resources. These threats arise from vulnerabilities within a network or its components and could lead to unauthorized access, data loss, or other types of harm. Network threats are typically the "cause" of network attacks.

Common network threats include:

1. Malware: Software designed to harm or exploit network systems. This includes viruses, worms, trojans, ransomware, and spyware.

2. Phishing: The attempt to trick individuals into revealing sensitive information (e.g., usernames, passwords, credit card details) by masquerading as a trustworthy entity via email, websites, or other forms of communication.

3. Insider Threats: Threats originating from within the organization, such as disgruntled employees or contractors who intentionally or unintentionally compromise security.

4. Social Engineering: Manipulating individuals into divulging confidential information or performing actions that compromise network security (e.g., pretexting, baiting, or tailgating).

5. Denial of Service (DoS): A threat where attackers attempt to make network resources unavailable to users by overwhelming the network with traffic or requests.

6. Eavesdropping: Unauthorized interception and monitoring of network traffic, typically to capture sensitive data like passwords, credit card numbers, and communications.

7. Data Breaches: Unauthorized access to sensitive or private data, often resulting in the theft of personal, financial, or intellectual property.

8. Zero-Day Vulnerabilities: Threats arising from previously unknown security flaws that can be exploited by attackers before a patch or fix is made available.

---

Network Attacks:

Network attacks are specific actions or methods employed by attackers to exploit network vulnerabilities, causing harm or gaining unauthorized access to a network or system. These attacks can be used to steal data, disrupt services, or harm an organization’s reputation.

Some common network attacks include:

1. Denial of Service (DoS) Attack: The attacker floods the target network or server with excessive requests to exhaust resources and make it unavailable to legitimate users. A Distributed Denial of Service (DDoS) attack is a more sophisticated version where the attack comes from multiple sources.

2. Man-in-the-Middle (MitM) Attack: The attacker intercepts and potentially alters the communication between two parties, often to steal sensitive information like login credentials or credit card details.

3. SQL Injection: An attack that exploits vulnerabilities in a web application's database layer. Malicious SQL queries are injected into input fields, which can allow attackers to access or manipulate database data.

4. Cross-Site Scripting (XSS): Attackers inject malicious scripts into web pages, which are then executed by the browser of users who visit the compromised page. This can lead to the theft of session cookies or user credentials.

5. Password Cracking: Attackers attempt to discover a user's password through brute force methods (trying every possible combination) or by using techniques like dictionary attacks, where they use a list of common passwords.

6. ARP Spoofing: The attacker sends fake Address Resolution Protocol (ARP) messages onto a network, which associates the attacker's MAC address with the IP address of another device (e.g., a router), allowing them to intercept network traffic.

7. Sniffing: Involves intercepting and capturing network traffic to extract sensitive data like login credentials or confidential communication. This is usually done using packet-sniffing tools.

8. Ransomware Attack: A form of malware that encrypts a victim's files or locks them out of their systems, demanding a ransom for the decryption key or to regain access.

9. Pharming: This attack redirects a website's traffic to a malicious website that looks similar to the original site, often to steal login credentials or financial information.

10. Privilege Escalation: This attack involves exploiting a vulnerability to gain higher access privileges than a user is authorized for, typically allowing the attacker to control or steal sensitive data from the systems

---

How to Identify threats

IDS

An Intrusion Detection System (IDS) is a security mechanism that monitors network traffic or system activity for suspicious or malicious behavior. Its main goal is to identify potential threats and alert administrators about unauthorized or anomalous activities.

• Function: IDS analyzes network traffic or system logs to detect known attack patterns, anomalies, or violations of security policies. When it detects suspicious activity, it generates an alert to notify the network administrator.

• Types of IDS:

  • Network-based IDS (NIDS): Monitors network traffic for signs of malicious activity.

  • Host-based IDS (HIDS): Monitors a single system or host (e.g., a server or workstation) for suspicious activity.

NIDS

A Network Intrusion Detection System (NIDS) is a specific type of IDS that monitors the entire network for suspicious activity, such as malicious network traffic or unauthorized access attempts. NIDS is positioned at strategic points in the network (e.g., at entry and exit points) to monitor traffic across the network.

• Function: NIDS captures and analyzes network packets in real time, looking for known attack signatures, anomalies, and unusual traffic patterns that could indicate a network intrusion. It helps identify attacks such as DDoS (Distributed Denial of Service), malware, or port scanning.

• Advantages:

  • Can detect attacks on the entire network.

  • Monitors traffic at a central point, which can be useful in large or distributed networks.

• Limitations:

  • Can be overwhelmed with encrypted traffic, making it difficult to detect threats in such traffic.

HIDS

A Host Intrusion Detection System (HIDS) is installed on individual devices (hosts), such as computers or servers, to monitor and detect unauthorized or malicious activity on that specific system. Unlike NIDS, which focuses on network traffic, HIDS focuses on actions within the host, including file changes, system calls, and logs.

• Function: HIDS monitors the internal activities of a host, such as:

  • File integrity checks

  • Process behavior (e.g., unusual processes)

  • Log file monitoring (e.g., failed login attempts)

  • Configuration changes or system settings

• Advantages:

  • Can detect threats that bypass the network perimeter (e.g., insider attacks).

  • Provides deep visibility into host-specific activities.

• Limitations:

  • Limited to a single host, so it cannot provide insight into network-wide activities.

  • May generate false positives due to the complexity of monitoring host activities.

SIEM

Security Information and Event Management (SIEM) is a comprehensive security solution that aggregates, analyzes, and correlates security data from multiple sources (including IDS, NIDS, HIDS, firewalls, and other devices) to provide a centralized view of security threats and incidents. SIEM systems use real-time monitoring, log management, and advanced analytics to identify potential threats and enable quicker responses.

• Function: SIEM systems collect data from various network devices, systems, applications, and security solutions. They analyze this data to identify security incidents, correlate events, and generate alerts for security teams. Some SIEM systems also have automated response capabilities to help mitigate identified threats.

• Key Features:

  • Log aggregation: Collecting log data from multiple sources.

  • Event correlation: Identifying patterns of events that may indicate an attack or security breach.

  • Real-time monitoring: Continuously monitoring network and system events for unusual activity.

  • Alerting: Generating alerts based on suspicious events or patterns.

  • Reporting and compliance: Generating reports for compliance audits (e.g., GDPR, HIPAA).

• Advantages:

  • Provides a centralized view of security across the entire network.

  • Enables faster detection and response to complex security threats through correlation of diverse data sources.

  • Helps in compliance reporting and auditing.

• Limitations:

  • SIEM systems can be complex to deploy and manage.

  • High costs, especially for large organizations that need to collect vast amounts of data.

  • Can generate a large volume of alerts, leading to alert fatigue unless properly tuned.

---

How to prevent threats

Antivirus

• Function: Detects and removes malware (viruses, worms, trojans, etc.).

• Prevention: Uses signatures and heuristics for real-time protection on individual devices.

• Limitations: May miss new or unknown threats without updated signatures.

VA Scans

• Function: Scans systems for vulnerabilities or malware.

• Prevention: Identifies risks like outdated software or malware infections, allowing fixes.

• Limitations: Often not real-time, so attacks between scans may be missed.

Firewalls

• Function: Monitors and controls network traffic based on security rules.

• Prevention: Blocks harmful traffic and enforces access control at network boundaries.

• Limitations: May be bypassed by encrypted or sophisticated attacks.

IPS

• Function: Actively analyzes network traffic and blocks malicious activity in real-time.

• Prevention: Prevents attacks like DDoS or SQL injections by blocking harmful traffic.

• Limitations: False positives can block legitimate traffic if misconfigured.

NIPS

• Function: Protects entire networks by blocking malicious traffic.

• Prevention: Detects and blocks network-wide attacks.

• Limitations: Cannot protect individual devices.

HIPS

• Function: Protects individual systems by blocking malicious behavior.

• Prevention: Monitors and stops harmful actions on a host (e.g., malware, unauthorized changes).

• Limitations: Limited to protecting single devices.

---

Network Security Infrastructure

Cloud Deployment Models

Requirements of Data Center

1. Power:

• Importance: A data center requires a constant, reliable power supply to ensure the continuous operation of servers, networking equipment, and other critical systems.

• Requirements:

  • Uninterruptible Power Supply (UPS): Provides backup power during outages.

  • Generators: Backup power for extended outages.

  • Redundant Power: Multiple power feeds and circuits to avoid single points of failure.

2. HVAC (Heating, Ventilation, and Air Conditioning):

• Importance: Proper cooling is essential to prevent servers and equipment from overheating, which can lead to failures and damage.

• Requirements:

  • Cooling Systems: Efficient air conditioning units or cooling solutions to regulate temperature.

  • Ventilation: Proper airflow management to ensure optimal distribution of cool air and removal of heat.

  • Redundancy: Backup cooling systems in place to ensure continuous airflow.

3. Fire Suppression:

• Importance: Protecting data centers from fire risks is critical, as a fire could destroy both hardware and data.

• Requirements:

  • Fire Detection: Early detection systems (e.g., smoke detectors) to identify potential fires quickly.

  • Fire Suppression Systems: Systems such as FM-200 or Inergen, which suppress fire without damaging sensitive equipment.

  • Fire Barriers: Fire-resistant walls, doors, and floors to contain fire and prevent it from spreading.

4. Redundancy:

• Importance: Redundancy ensures that a data center can continue operating even if one or more systems fail.

• Requirements:

  • Redundant Power Supplies: Multiple power sources and backup generators.

  • Network Redundancy: Dual network connections and routers to ensure continuous communication.

  • Data Redundancy: Backup storage systems (e.g., RAID, cloud replication) to avoid data loss.

5. MOU/MOA (Memorandum of Understanding / Memorandum of Agreement):

• Importance: Defines agreements and responsibilities between data center operators and clients or partners.

• Requirements:

  • MOU: A non-binding document that outlines mutual understandings and intentions between parties.

  • MOA: A more formal and binding agreement that specifies the obligations and responsibilities of each party regarding the operation and management of the data center.

Network design terminologies

1. Network Segmentation (e.g., Microsegmentation & DMZ):

• Microsegmentation:

  • Definition: The practice of dividing a network into smaller, isolated segments to limit the spread of threats and enhance security.

  • How It Works: By using firewalls and software-defined network policies, microsegmentation can isolate workloads within data centers or cloud environments.

  • Benefit: Reduces the attack surface and prevents lateral movement of attackers within the network.

• Demilitarized Zone (DMZ):

  • Definition: A perimeter network that acts as a buffer between a trusted internal network and untrusted external networks (like the internet).

  • How It Works: Public-facing services (e.g., web servers, email servers) are placed in the DMZ, while the internal network is protected behind a firewall.

  • Benefit: Limits external access to only certain services, reducing the risk of compromising the internal network.

---

2. Virtual Local Area Network (VLAN):

• Definition: A logical subgroup within a physical network that isolates traffic and groups devices together, regardless of their physical location.

• How It Works: VLANs segment a network into smaller broadcast domains to improve security, performance, and management.

• Benefit: Increases network efficiency by reducing unnecessary traffic and improving security by isolating sensitive departments or systems.

---

3. Virtual Private Network (VPN):

• Definition: A secure, encrypted connection between two points over a public network (e.g., the internet).

• How It Works: VPNs encrypt data packets to ensure privacy and integrity when transmitting over unsecured networks.

• Benefit: Provides secure remote access for users or connects branch offices to the main network, ensuring privacy.

---

4. Defense in Depth:

• Definition: A layered security approach where multiple security controls are implemented at different levels (network, host, application) to protect against threats.

• How It Works: Layers include firewalls, intrusion detection/prevention systems, antivirus software, access controls, and more.

• Benefit: If one layer fails, other layers provide additional protection, enhancing overall security.

---

5. Zero Trust:

• Definition: A security model that assumes no one (inside or outside the network) is trusted by default and requires verification for every request.

• How It Works: It relies on strict identity verification, least-privilege access, continuous monitoring, and real-time analytics to ensure that users and devices are always authenticated before accessing resources.

• Benefit: Reduces the risk of internal and external breaches by verifying trust at every access point.

---

6. Network Access Control (NAC):

• Definition: A security solution that enforces policies on which devices can access a network, based on predefined rules.

• How It Works: NAC systems assess devices (e.g., whether they have up-to-date antivirus software or meet certain security criteria) before granting network access.

• Benefit: Ensures that only compliant and secure devices are allowed to access the network, preventing unauthorized or insecure devices from connecting.

---

Chapter Resources

301KB

CC-Chapter4.pdf

pdf