ITS 2110 - Introduction to Network Security
Chapter 6 - Network Security Devices, Design, and Technology
This lesson introduces the student to two major types of
attacks. Objectives important to this
- Network security devices
- Network architectures
- Enhancing security
Before we start a discussion about network equipment, we should talk about network models. In the chart below (there is no such thing
as a "below chart", so don't put nonsense like that in your work), you
see three columns that are named for three different network conceptual
models: the Department of Defense (DoD) model, the TCP/IP model, and
the Open Systems Interconnect (OSI) model. Each layer in a model
describes the kind of activities that happen between or within network
The purple layers describe what happens inside a network. The yellow layer describes what happens in passing information from one network to another. The blue layer describes making sure information goes where we want it to go. The green layers describe things that happen in programs that need to send or receive information over a network. That's the very short version of what should be five weeks of lessons.
DoD, TCP/IP, and OSI Models
|Functional Description||DoD Layers||TCP/IP Layers||OSI Layers|
|Upper Layer Processes||Process/Application||Application||7 - Application|
|6 - Presentation|
|5 - Session|
|Reliable Connections||Host-to-host||Transport||4 - Transport|
|Internetwork Connections||Internet||Internet||3 - Network|
|Network Access||Network Interface||2 - Data-Link|
really useful thing about network models is that they match each other
so well. If we learn any of them, we will understand another one with
Beginning on page 236, with a discussion about the OSI network model,
the text places several network devices in context based on their
roles in the network.
- Hubs (and cables) belong on the Physical layer (layer 1) because
they do not use any address information. This lack of selectivity does
not provide any selectivity when passing along frames and packets (clumps of data).
- Bridges connect network segments togetther and act as filters, to
minimize traffic. Without filters, all traffic on a network would go
to all stations, on all segments. A bridge connects two LAN
segments, and filters traffic every signal does not have to appear on
both segments. Since bridges use hardware addresses to make their
decisions, bridges are considered Data-Link layer
devices. (That's the layer where hardware addressing lives.) The text
calls bridges standard network devices, but they are rarely used any
more. Switches do a better job.
- Switches belong on
the Data-Link layer (layer 2)
because they use MAC addresses
to determine whether they send a message to one device (as a unicast) or to multiple devices (as
Switches will send all messages to all ports initially, but they build
address tables based on the source address field in each message they
process, associating MAC addresses with the port on which the message
was received. The address tables are used to send unicast transmissions
whenever possible. This selectivity adds to security by reducing the
number of broadcasts, and by sending data/messages only to devices that
need them, only across media that connect to those devices.
Switches can be used to to monitor network
traffic for all devices if they support port mirroring,
copying all traffic through the port to a selected port that an
administrator is monitoring. In a way, this makes the switch act like a
hub, but only with respect to the traffic sent to that one port. We are
also told that port mirroring is best used in low traffic network. For a high traffic network, the text
recommends a network test access point
(network tap) which is an
appliance that does the same job.
- Routers belong on
the Network layer
(layer 3) because they use software addresses (typically IP addresses)
to find routes to networks. The text remarks that a router can be
configured to filter out packets based on specific criteria, which
means that a router may act as a firewall.
- Load balancers are
devices that send traffic to servers or other devices on a rotating basis to evenly distribute
some kind of work. A load balancer may be a dedicated network appliance, or it may be software running on a server. The
text makes a distinction between layer
4 load balancers and layer 7
load balancers. The difference has to do with which layer the
protocol used by the traffic being balanced belongs to.
- Layers 3 and 4: IP, TCP, UDP
- Layer 7: HTTP, IMAP, POP3, SMTP, DNS
- Proxies are devices
that act for or as another device. The
text mentions a proxy server that is used to share an IP address among
several devices on its network, so that only the IP address of the
proxy server is ever seen by hosts on the Internet. The text lists four
benefits of having a proxy server that passes requests to the Internet.
Increased speed and reduced cost are not relevant if
your users need to
access web sites that change regularly: caching on the proxy server is
not useful if you need the most current version of a page. Improved management and stronger security are more likely to
be real benefits. Blocking
access to unacceptable web sites is commonly managed through a proxy
server (using a product like SurfControl, now known as Websense).
Security is increased by making only the proxy server visible to the
Internet, hiding the addresses of your other devices.
The text moves on to discuss specific network security devices (hardware).
- Network firewalls
are compared to host-based firewall software. Their purposes are
similar, but a hardware firewall must handle much more traffic. Since
they are meant to protect a large number of devices, a network firewall
is typically placed at a traffic choke point, like the one in the
diagram on page 280. That firewall is between the main switch for a
network and the router that provides access to the Internet. It should
be monitoring traffic flowing into and out of our network.
The text reminds us that firewalls may be stateless or stateful. The difference is that stateful firewalls will not allow
traffic between devices unless a proper communication session has been established between
them. This prevents attacks that begin with an uninvited transmission.
The text reviews common actions that
a firewall may take based on the rules set by an administrator.
Simple firewalls may have fewer options:
- allow - allow the
traffic to continue
- drop - deny the
traffic, and send no response to the sender
- reject - deny the
traffic, but send a response that the destination cannot be reached
- ask - alert an
administrator, asking what to do
Most firewalls will follow rules based on the properties
of received packets like the ones in the list on page 281, such are
traffic is from, where it is going, and what protocol is being used.
Firewalls may also be application aware, which means they can
make decisions about packets based on the application they are trying
to access on the receiving device.
- Spam filters are
typically employed as part of an email system, but they may be
standalone devices or services purchased from a vendor. The
illustrations on page 283 show two possible locations for deploying a
spam filter. Unfortunately, the pictures are a little misleading.
Basic facts first: outgoing
email is typically sent across the Internet using Simple Mail Transfer Protocol (SMTP, port 25). This is what your
post office uses to send email to another post office. This does require an SMTP server on each
of the networks involved. The receiving SMTP server delivers your email
to your mailbox, which you can think of as a set of records in a database. Your email
client may pull the mail from
the mailbox with Post Office Protocol
3 (POP3, port 110), or
just read it with Internet Message
Access Protocol (IMAP,
port 143). There is no specific POP3 or IMAP server involved with those
requests to your mailbox, only a service that your client's request
activates in the post office.
So, with that understood, we could install a spam filter to manage all
mail before it hits the post
office (incoming SMTP
traffic), or as a filter for all POP3 or IMAP requests to the post office. The
text recommends filtering before the traffic is stored in the post
- Virtual Private Network
(VPN) Concentrators take a little
explanation. A VPN is a secure
communication channel that is often used by people who need to connect
to their usual network when they are traveling, working from home, or
are otherwise away from their usual work location. A VPN may pass
traffic across the Internet, but it can be considered as secure because
all traffic passed from one end of the channel to the other is
encrypted. Using a VPN provides a level of security that an unsecured
data channel cannot provide. Each end of a VPN channel is called an
A VPN Concentrator is
typically a hardware device that provides many VPN connections to a
network. You might think of it as a server or a switchboard that
supports many instances of a particular kind of network connection.
- Internet Content Filters
are often used with proxy servers, as described above. Their purpose is
to prevent access to websites and files that are forbidden by company
policy. The text mentions that they can work by matching against a list
of URLs (URL filtering) or by
examining a site or file for restricted or forbidden content (content inspection).
- Web Security Gateways
- similar to a Content Filter, but thesee are reactive in real time to
applications like file sharing, script exploits, and malicious code
The next few pages are about intrusion detection and
prevention. Let's look at a few definitions:
- intrusion - someone
tries to access or disrupt a system
- intrusion detection
- if a product only does detection, it
will notice an attempted or actual intrusion, and will probably tell
someone; a detection system does not take action against the intrusion
- intrusion reaction
- if a product reacts to intrusions, it
attempts to stop them, contain them, or minimize their effects
- intrusion prevention
- if a product acts to prevent
intrusion, it probably does detection as well; I am sometimes notified
by my security suite that an attempted intrusion has been detected and
stopped, which is what you want such a system to do
When you are researching products in this category, you should
careful to note what the product actually does. If it is marketed as an
intrusion detection system
don't expect it to prevent or stop intrusions. An intrusion detection and prevention system
(IDPS) would be preferable to a
system that only performed one of those functions.
An IDS, an IPS, or an IDPS may be installed on a computer or a network appliance and allowed to
sniff all the packets
that pass by. This sort of network-based
system may need to be duplicated in various parts of your
since it has to watch every packet that goes by, and it will not see
any packets that are not passed to the network segment it lives on.
This type of device or system would use the word network as a qualifier and a prefix (NIDS, NIPS, NIDPS).
The second major option is a host-based
IDPS. This kind of system
can detect changes on the host where it is installed that do not depend
on network traffic. On the other hand, it needs to be installed on
every host you intend to protect. In a home network, this is not a
large burden, but in a commercial setting it can be a lot of work. A
convincing argument may be that the antivirus program provided as part
of your home contract with a cable provider probably includes this
feature. If you are installing Norton 360, for example, you are already
installing a system to watch for intrusions as well as to watch for
viruses. The variations of this type would use the word host as a qualifier and a prefix (HIDS, HIPS, HIDPS).
The text discusses two network technologies that can provide
some security. We have already discussed The other technology
The chapter discusses more concepts that it calls Network Architecture.
- Demilitarized Zone (DMZ) - This is a part of your
network that is typically made available to the general public. It may contain a web server, an email server, and some public facing material. It will not be connected to the parts of
your network that contain sensitive or secret material. Some people
misunderstand, thinking that the DMZ is an unprotected part of the
network. This not true: you should use the same protective measures that you
use on the rest of your network.
- Network Address Translation - this is
used on a proxy server that presents a registered
IP address to the Internet, hiding the private
addresses that are actually used on your network.
- Subnetting -
Subnets are often created to restrict access to particular resources,
to organize a network by job function or by geography, or to create
more broadcast domains with fewer users on each one.
- Virtual LANs (VLANs) - A VLAN is used to place
devices or users on the same
LAN, even though they may be in separate
locations, such as in different buildings, cities, or countries. The
network is configured so that particular ports on several switches are
assigned addresses that place them on a single logical LAN.
- Remote Access -
This label refers to any technology that lets someone attach to a
network they are not
physically near. This may mean using a VPN connection, a Remote Access
Server connection, or another technology that supports traveling,
telecommuting, or distant workers.
- Network Access Control (NAC) -
The idea is that when a device is connected to a network, the NAC
service should scan the new
device for flaws, its state regarding
software updates, virus protection currency, and more
before it is allowed to join the network. If it fails the test, the
device is only allowed to access a quarantined
part of the network.