ITS 2110 - Introduction to Network Security

Chapter 6 - Network Security Devices, Design, and Technology


This lesson introduces the student to two major types of attacks. Objectives important to this lesson:

  1. Network security devices
  2. Network architectures
  3. Enhancing security

Chapter 6

Before we start a discussion about network equipment, we should talk about network models. In the chart below (there is no such thing as a "below chart", so don't put nonsense like that in your work), you see three columns that are named for three different network conceptual models: the Department of Defense (DoD) model, the TCP/IP model, and the Open Systems Interconnect (OSI) model. Each layer in a model describes the kind of activities that happen between or within network devices.

The purple layers describe what happens inside a network. The yellow layer describes what happens in passing information from one network to another. The blue layer describes making sure information goes where we want it to go. The green layers describe things that happen in programs that need to send or receive information over a network. That's the very short version of what should be five weeks of lessons.

DoD, TCP/IP, and OSI Models
Functional DescriptionDoD LayersTCP/IP LayersOSI Layers
Upper Layer ProcessesProcess/ApplicationApplication7 - Application
6 - Presentation
5 - Session
Reliable ConnectionsHost-to-hostTransport4 - Transport
Internetwork ConnectionsInternetInternet3 - Network
Network AccessNetwork Interface2 - Data-Link
Physical1- Physical

The really useful thing about network models is that they match each other so well. If we learn any of them, we will understand another one with little trouble.

Beginning on page 236, with a discussion about the OSI network model, the text places several network devices in context  based on their roles in the network.

  • Hubs (and cables) belong on the Physical layer (layer 1) because they do not use any address information. This lack of selectivity does not provide any selectivity when passing along frames and packets (clumps of data).
  • Bridges - Bridges connect network segments togetther and act as filters, to minimize traffic. Without filters, all traffic on a network would go to all stations, on all segments. A bridge connects two LAN segments, and filters traffic every signal does not have to appear on both segments. Since bridges use hardware addresses to make their decisions, bridges are considered Data-Link layer devices. (That's the layer where hardware addressing lives.) The text calls bridges standard network devices, but they are rarely used any more. Switches do a better job.
  • Switches belong on the Data-Link layer (layer 2) because they use MAC addresses to determine whether they send a message to one device (as a unicast) or to multiple devices (as a broadcast). Switches will send all messages to all ports initially, but they build address tables based on the source address field in each message they process, associating MAC addresses with the port on which the message was received. The address tables are used to send unicast transmissions whenever possible. This selectivity adds to security by reducing the number of broadcasts, and by sending data/messages only to devices that need them, only across media that connect to those devices.

    Switches can be used to to monitor network traffic for all devices if they support port mirroring, copying all traffic through the port to a selected port that an administrator is monitoring. In a way, this makes the switch act like a hub, but only with respect to the traffic sent to that one port. We are also told that port mirroring is best used in low traffic network. For a high traffic network, the text recommends a network test access point (network tap) which is an appliance that does the same job.
  • Routers belong on the Network layer (layer 3) because they use software addresses (typically IP addresses) to find routes to networks. The text remarks that a router can be configured to filter out packets based on specific criteria, which means that a router may act as a firewall.
  • Load balancers are devices that send traffic to servers or other devices on a rotating basis to evenly distribute some kind of work. A load balancer may be a dedicated network appliance, or it may be software running on a server. The text makes a distinction between layer 4 load balancers and layer 7 load balancers. The difference has to do with which layer the protocol used by the traffic being balanced belongs to.
    • Layers 3 and 4: IP, TCP, UDP
    • Layer 7: HTTP, IMAP, POP3, SMTP, DNS
  • Proxies are devices that act for or as another device. The text mentions a proxy server that is used to share an IP address among several devices on its network, so that only the IP address of the proxy server is ever seen by hosts on the Internet. The text lists four benefits of having a proxy server that passes requests to the Internet. Increased speed and reduced cost are not relevant if your users need to access web sites that change regularly: caching on the proxy server is not useful if you need the most current version of a page. Improved management and stronger security are more likely to be real benefits. Blocking access to unacceptable web sites is commonly managed through a proxy server (using a product like SurfControl, now known as Websense). Security is increased by making only the proxy server visible to the Internet, hiding the addresses of your other devices.

The text moves on to discuss specific network security devices (hardware).

  • Network firewalls are compared to host-based firewall software. Their purposes are similar, but a hardware firewall must handle much more traffic. Since they are meant to protect a large number of devices, a network firewall is typically placed at a traffic choke point, like the one in the diagram on page 280. That firewall is between the main switch for a network and the router that provides access to the Internet. It should be monitoring traffic flowing into and out of our network.
    The text reminds us that firewalls may be stateless or stateful. The difference is that stateful firewalls will not allow traffic between devices unless a proper communication session has been established between them. This prevents attacks that begin with an uninvited transmission.
    The text reviews common actions that a firewall may take based on the rules set by an administrator. Simple firewalls may have fewer options:
    • allow - allow the traffic to continue
    • drop - deny the traffic, and send no response to the sender
    • reject - deny the traffic, but send a response that the destination cannot be reached
    • ask - alert an administrator, asking what to do

    Most firewalls will follow rules based on the properties of received packets like the ones in the list on page 281, such are where the traffic is from, where it is going, and what protocol is being used.

    Firewalls may also be application aware, which means they can make decisions about packets based on the application they are trying to access on the receiving device.
  • Spam filters are typically employed as part of an email system, but they may be standalone devices or services purchased from a vendor. The illustrations on page 283 show two possible locations for deploying a spam filter. Unfortunately, the pictures are a little misleading.

    Basic facts first: outgoing email is typically sent across the Internet using Simple Mail Transfer Protocol (SMTP, port 25). This is what your post office uses to send email to another post office. This does require an SMTP server on each of the networks involved. The receiving SMTP server delivers your email to your mailbox, which you can think of as a set of records in a database. Your email client may pull the mail from the mailbox with Post Office Protocol 3 (POP3, port 110), or just read it with Internet Message Access Protocol (IMAP, port 143). There is no specific POP3 or IMAP server involved with those requests to your mailbox, only a service that your client's request activates in the post office.

    So, with that understood, we could install a spam filter to manage all mail before it hits the post office (incoming SMTP traffic), or as a filter for all POP3 or IMAP requests to the post office. The text recommends filtering before the traffic is stored in the post office/mailboxes.
  • Virtual Private Network (VPN) Concentrators take a little explanation. A VPN is a secure communication channel that is often used by people who need to connect to their usual network when they are traveling, working from home, or are otherwise away from their usual work location. A VPN may pass traffic across the Internet, but it can be considered as secure because all traffic passed from one end of the channel to the other is encrypted. Using a VPN provides a level of security that an unsecured data channel cannot provide. Each end of a VPN channel is called an endpoint.
    A VPN Concentrator is typically a hardware device that provides many VPN connections to a network. You might think of it as a server or a switchboard that supports many instances of a particular kind of network connection.
  • Internet Content Filters are often used with proxy servers, as described above. Their purpose is to prevent access to websites and files that are forbidden by company policy. The text mentions that they can work by matching against a list of URLs (URL filtering) or by examining a site or file for restricted or forbidden content (content inspection).
  • Web Security Gateways - similar to a Content Filter, but thesee are reactive in real time to applications like file sharing, script exploits, and malicious code attacks

The next few pages are about intrusion detection and prevention. Let's look at a few definitions:

  • intrusion - someone tries to access or disrupt a system
  • intrusion detection - if a product only does detection, it will notice an attempted or actual intrusion, and will probably tell someone; a detection system does not take action against the intrusion
  • intrusion reaction - if a product reacts to intrusions, it attempts to stop them, contain them, or minimize their effects
  • intrusion prevention - if a product acts to prevent intrusion, it probably does detection as well; I am sometimes notified by my security suite that an attempted intrusion has been detected and stopped, which is what you want such a system to do

When you are researching products in this category, you should be careful to note what the product actually does. If it is marketed as an intrusion detection system (IDS), don't expect it to prevent or stop intrusions. An intrusion detection and prevention system (IDPS) would be preferable to a system that only performed one of those functions.

An IDS, an IPS, or an IDPS may be installed on a computer or a network appliance and allowed to sniff all the packets that pass by. This sort of network-based system may need to be duplicated in various parts of your network, since it has to watch every packet that goes by, and it will not see any packets that are not passed to the network segment it lives on. This type of device or system would use the word network as a qualifier and a prefix (NIDS, NIPS, NIDPS).

The second major option is a host-based IDPS. This kind of system can detect changes on the host where it is installed that do not depend on network traffic. On the other hand, it needs to be installed on every host you intend to protect. In a home network, this is not a large burden, but in a commercial setting it can be a lot of work. A convincing argument may be that the antivirus program provided as part of your home contract with a cable provider probably includes this feature. If you are installing Norton 360, for example, you are already installing a system to watch for intrusions as well as to watch for viruses. The variations of this type would use the word host as a qualifier and a prefix (HIDS, HIPS, HIDPS).

The text discusses two network technologies that can provide some security. We have already discussed  The other technology is 

The chapter discusses more concepts that it calls Network Architecture.

  • Demilitarized Zone (DMZ) - This is a part of your network that is typically made available to the general public. It may contain a web server, an email server, and some public facing material. It will not be connected to the parts of your network that contain sensitive or secret material. Some people misunderstand, thinking that the DMZ is an unprotected part of the network. This not true: you should use the same protective measures that you use on the rest of your network.
  • Network Address Translation - this is used on a proxy server that presents a registered IP address to the Internet, hiding the private addresses that are actually used on your network.
  • Subnetting - Subnets are often created to restrict access to particular resources, to organize a network by job function or by geography, or to create more broadcast domains with fewer users on each one.
  • Virtual LANs (VLANs) - A VLAN is used to place devices or users on the same LAN, even though they may be in separate locations, such as in different buildings, cities, or countries. The network is configured so that particular ports on several switches are assigned addresses that place them on a single logical LAN.
  • Remote Access - This label refers to any technology that lets someone attach to a network they are not physically near. This may mean using a VPN connection, a Remote Access Server connection, or another technology that supports traveling, telecommuting, or distant workers.
  • Network Access Control (NAC) - The idea is that when a device is connected to a network, the NAC service should scan the new device for flaws, its state regarding software updates, virus protection currency, and more before it is allowed to join the network. If it fails the test, the device is only allowed to access a quarantined part of the network.