CS406 Study Guide

Unit 6: Network Security

6a. Describe how network designs such as segmentation, zoning, and redundancy can protect networks

  • What are the security advantages of demilitarized zones (DMZ), network address translation (NAT), network access control (NAC), virtualization, subnetting, and segmentation?
  • What is meant by redundancy and how can it be accomplished in information systems?
  • What type of network design could be used to create a honeypot?

The security advantage of a demilitarized zone (DMZ) is by using two routers, it allows traffic into the DMZ but keeps that traffic from entering the internal network. A network address translation (NAT) router also protects the internal network by hiding the private internet protocol (IP) addresses from untrusted networks. Network access control (NAC) protects networks, and wireless networks, from granting access to devices that meet certain criteria such as type of operating system, or devices that are not patched or do not have current anti-malware versions installed. Virtualization provides security by making it simpler to recover or fix compromised systems and then bring them back online. Subnetting can increase the security of a network by segmenting systems and grouping them by security level. Resource segmentation uses virtual local networks (VLANS) to increase security by segmenting and layering a network based on user groups, resource types, or a combination of the two.

The primary purpose of redundancy is to ensure system availability and reliability in case of failure. Redundancy is the duplication of critical elements of a system and can be thought of as the backup of a system. In information systems, this can be accomplished using two computer processing units (CPUs), when one fails the other takes over. On the internet, it can be using different paths. If one path fails, for instance, if one cable is cut, there is an alternate path.

A honeypot is a way to deflect attackers from areas of sensitive system data. Once the attacker has entered this area their methods can be tracked and studied to determine how to make the system more secure. To create a honeypot, network segmentation can be used. Segmentation protects the regular traffic from the attacker.

To review, see section 6.1: Network Security Design.

 

6b. Explain how firewalls filter or block traffic, the appropriate placement of firewalls in networks, and common firewall terminology such as stateless packet filtering, stateful packet inspection, and deep packet inspection

  • How does a firewall block traffic?
  • Where would a stateful or stateless firewall be placed?
  • Where should firewalls be located around a demilitarized zone?
  • Where should firewalls be located around a demilitarized zone?
  • What are the three techniques used in deep packet inspection (DPI)?

Firewalls block traffic according to a predetermined set of rules. The rules are set to accept, reject, or drop packet traffic. The rules are followed in order, from first to last. The placement of firewalls varies according to the way a packet is examined and filtered. For instance, packet filtering views the header of a packet, and deep packet inspection examines the data in the packet.

Firewall placement in a network is based on the way the firewall examines packets. For instance, stateful firewalls are best placed on the perimeter of a network and they take longer to make the initial connection but with improved performance. Stateless inspection firewalls are placed internally in a network and they connect faster and require less memory.

A demilitarized zone (DMZ) allows external access to a network while protecting the internal network from outside traffic. To accomplish this, two firewalls are used, and the DMZ lies between the two firewalls. One firewall faces the outside traffic, and one is internal to protect the outside traffic from entering the internal network.

Deep packet inspection (DPI) allows the network to be analyzed in real time, and examines the internet protocol (IP) packet content, including encrypted data. Deep packet inspection can be used in intrusion detection systems (IDS) and intrusion prevention systems (IPS) to thwart malware from entering the network. The three techniques used by DPI are flow tracking, pattern matching, and statistical analysis.

To review, see What is a Firewall and How Does it Work?, Packet Filtering, Stateful Packet Inspection, Deep Packet Inspection, Firewall Basics and Firewall Placement, Inbound and Outbound Packet Processing, and Deep Packet Inspection and Routers.

 

6c. Analyze wireless networking encryption types, tunneling, and the vulnerabilities associated with bring your own device (BYOD)

  • Why is it important to encrypt wireless networks?
  • How close does a wireless eavesdropper have to be to intercept a signal between a computer and a router?
  • What do you call a device that both transmits and receives?
  • How does BYOD increase the risk to a company's data and information systems? 

When setting up a wireless network, the traffic will travel over an unlicensed band and will be less secure than a wired network. Attackers can easily intercept traffic traveling over an unlicensed band, so it is important to encrypt the data. Wired equivalent privacy (WEP), and Wi-Fi protected access (WPA) have been used to encrypt wireless signals, but both have been broken and should not be used. The current method of wireless encryption is Wi-Fi protected access 2 (WPA2) that uses advanced encryption standard (AES).

Wireless networking is transmitted by radio waves. An attacker does not have to be between a system and its router to intercept a transmission. Radio waves emanate from 100 to 300 feet in all directions. Radios waves can be intercepted by anyone with a receiver, so it is very important to use a method of encryption that cannot be broken.

Wireless systems use different types of devices. A transmitter sends signals while a receiver accepts a signal sent by a transmitter. Some devices that can both transmit and receive and are called transceivers. Some commonly used transceivers are routers and cell phones.

Bring your own device (BYOD) means that users can connect personal devices to a company network, but at an increase in risk to a company's information system. The risk is the result of many different possibilities with devices, but one reason is that collectively employees use so many different types of devices that it is impractical for the employer to examine and approve every device allowed on the system. Another reason is that employee's devices are often not securely locked down to prevent being infected with malware. There is also the issue of lost devices that have company information downloaded to the device.

To review, read More Wireless Basics, Risks Associated with BYOD, Introduction to Wireless Networks and Wireless Encryption, Wireless Network Basics, and Virtual Ethernet Tunneling.

 

6d. Assess how tools such as honeypots, network sniffers, and packet capturing are used to protect networks

  • When would you prefer to use a honeypot instead of an intrusion detection system (IDS)?
  • What is the difference between a honeypot and a honeynet?
  • How are network sniffers detected?

Honeypots are decoys that attract attackers, and then examines the methods the attacker is using and may identify system vulnerabilities. Honeypots do not have legitimate traffic, so any traffic is from an attacker, therefore honeypots do not use a lot of resources and have few false positives. In comparison, intrusion

detection systems (IDS) use more resources and produce false positives. Honeypots do not detect breaches and cannot identify attackers and must be secure so that attackers cannot enter the production network through the honeypot. Honeypot data can be used to improve the configuration of IDSes to reduce false positives. Honeypots can be used alone or with an IDS and may be the tool of choice when resources are limited.

Honeypots and honeynets are similar, as honeynets use a collection or network of honeypots. A honeynet could be a network containing honeypots that have different environments such as a Windows and a Linux honeypot server. The purpose of a honeynet is to fake a real network.

Network sniffers can be hardware or software and are used by attackers or by network administrators to examine the packets on a network. Passive network sniffing is generally impossible to detect because it only collects data, but active sniffing can be identified as it generates traffic. The best way to ensure that there is not a sniffer on the system is to determine if the network interface card is in promiscuous mode. Send requests using the internet protocol (IP) address of the machine with an incorrect media access control (MAC) address. If there is a response there is a sniffer, if not the machine is in non-promiscuous mode and the packet will be dropped.

To review, see Honeypots, Honeypots and Honeynets, Privacy Issues with Honeypots and Honeynets, Network Sniffers, Wireless Sniffing, and Packet Capturing Using tcpdump and Wireshark.

 

6e. Describe the methods used to secure the web such as HTTPS, TLS/SSL, and DNS/DNSSEC

  • What makes hypertext transfer protocol secure (HTTPS) more secure than hypertext transfer protocol (HTTP)?
  • What is the relationship between secure sockets layer (SSL) and transport layer security (TLS)?
  • Why do we use domain names instead of internet protocol (IP) addresses?

Hypertext transfer protocol (HTTP) is a method of communication in browsers and in web servers. Hypertext transfer protocol secure (HTTPS) is more secure than hypertext transfer protocol (HTTP) because of the mode of transmission. Hypertext transfer protocol (HTTP) transmits data in clear text, while HTTPS transmits encrypted data.

Transport layer security (TLS) is the improved version of secure sockets layer (SSL). Both TLS and SSL are network protocols used on web servers and web browsers to securely transmit data. Transport layer security uses a handshake process to establish a secure line of communication through a bidirectional tunnel, then the data is encrypted before it is sent.

Computers use internet protocol (IP) addresses to communicate. Internet protocol addresses are numbers that are long and difficult for humans to remember, so instead, humans use words or domain names. Domain name servers (DNS) maps, or resolves domain names to IP addresses.

To review, see Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS), Secure Sockets Layer (SSL) and Transport Layer Security (TLS), and Domain Name System (DNS) and Domain Name System Security Extensions (DNSSEC).

 

Unit 6 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

  • advanced encryption standard (AES)
  • breach
  • bring your own device (BYOD)
  • communicate
  • computer processing unit (CPU)
  • decoy
  • deep packet inspection (DPI)
  • demilitarized zone (DMZ)
  • eavesdropper
  • encryption
  • firewall
  • hardware
  • honeynet
  • honeypot
  • hypertext transfer protocol
  • hypertext transfer protocol secure
  • internet protocol
  • intrusion detection system (IDS)
  • intrusion prevention system (IPS)
  • malware
  • media access control
  • network address control (NAC)
  • network address translation (NAT)
  • network sniffer
  • packet capturing
  • promiscuous
  • receive
  • receiver
  • redundancy
  • router
  • secure sockets layer
  • segmentation
  • software
  • subnetting
  • transmit
  • transport layer security
  • virtual local networks (VLANS)
  • virtualization
  • Wi-Fi protected access (WPA)
  • wired equivalent privacy (WEP)