The International Standards Organization (ISO) developed the Open Systems Interconnect (OSI) model in 1981. It consists of seven functional layers that provide the basis for communication among computers over networks, as described in the table below. You can easily remember them using the mnemonic phrase “All people seem to need data processing.” Understanding this model will help you build a strong network, troubleshoot problems, develop effective applications and evaluate third-party products.
|Layer||Function||Protocols or Standards|
|Layer 7: Application||Provides services such as e-mail, file transfers and file servers||HTTP, FTP, TFTP, DNS, SMTP, SFTP, SNMP, RLogin, BootP, MIME|
|Layer 6: Presentation||Provides encryption, code conversion and data formatting||MPEG, JPEG, TIFF|
|Layer 5: Session||Negotiates and establishes a connection with another computer||SQL, X- Window, ASP, DNA, SCP, NFS, RPC|
|Layer 4: Transport||Supports end-to-end delivery of data||TCP, UDP, SPX|
|Layer 3: Network||Performs packet routing||IP, OSPF, ICMP, RIP, ARP, RARP|
|Layer 2: Data link||Provides error checking and transfer of message frames||Ethernet, Token Ring, 802.11|
|Layer 1: Physical||Physically interfaces with transmission medium and sends data over the network||EIA RS-232, EIA RS-449, IEEE, 802|
To build a strong network and defend it, you need to understand the devices that comprise it. Here are the main types of network devices:
Using the proper devices and solutions can help you defend your network. Here are the most common ones you should know about:
Network segmentation involves segregating the network into logical or functional units called zones. For example, you might have a zone for sales, a zone for technical support and another zone for research, each of which has different technical needs. You can separate them using routers or switches or using virtual local area networks (VLANs), which you create by configuring a set of ports on a switch to behave like a separate network.
Segmentation limits the potential damage of a compromise to whatever is in that one zone. Essentially, it divides one target into many, leaving attackers with two choices: Treat each segment as a separate network, or compromise one and attempt to jump the divide. Neither choice is appealing. Treating each segment as a separate network creates a great deal of additional work, since the attacker must compromise each segment individually; this approach also dramatically increases the attacker’s exposure to being discovered. Attempting to jump from a compromised zone to other zones is difficult. If the segments are designed well, then the network traffic between them can be restricted. There are always exceptions that must be allowed through, such as communication with domain servers for centralized account management, but this limited traffic is easier to characterize.
Segmentation is also useful in data classification and data protection. Each segment can be assigned different data classification rules and then set to an appropriate level of security and monitored accordingly.
An extreme example of segmentation is the air gap — one or more systems are literally not connected to a network. Obviously, this can reduce the usefulness of many systems, so it is not the right solution for every situation. In some cases, however, a system can be sensitive enough that it needs to not be connected to a network; for example, having an air-gapped backup server is often a good idea. This approach is one certain way of preventing malware infections on a system.
Virtualization is another way to segment a network. Keep in mind that it is much easier to segment virtual systems than it is to segment physical systems. As one simple example, consider a virtual machine on your workstation. You can easily configure it so that the virtual machine is completely isolated from the workstation — it does not share a clipboard, common folders or drives, and literally operates as an isolated system.
Network segments can be classified into the following categories:
As you design your network segregation strategy, you need to determine where to place all your devices. The easiest device to place is the firewall: You should place a firewall at every junction of a network zone. Each segment of your network should be protected by a firewall. This is actually easier to do than you might think. All modern switches and routers have firewall capabilities. These capabilities just need to be turned on and properly configured. Another device that obviously belongs on the perimeter is an anti-DDoS device so you can stop DDoS attacks before they affect the entire network. Behind the main firewall that faces public network, you should have a web filter proxy.
To determine where to place other devices, you need to consider the rest of your network configuration. For example, consider load balancers. If we have a cluster of web servers in a DMZ, then the load balancer needs to be in the DMZ as well. However, if we have a cluster of database servers in a private network segment, then the load balancer must be placed with that cluster. Port mirroring will also be placed wherever your network demands it. This is often done throughout network switches so that traffic from a given network segment is also copied to another segment. This can be done to ensure that all network traffic is copied to an IDS or IPS; in that case, there must be collectors or sensors in every network segment, or else the IDS or IPS will be blind to activity in that segment.
Network aggregation switches are another device for which there is no definitive placement advice. These switches aggregate multiple streams of bandwidth into one. One example would be to use an aggregation switch to maximize bandwidth to and from a network cluster.
Network address translation (NAT) enables organizations to compensate for the address deficiency of IPv4 networking. NAT translates private addresses (internal to a particular organization) into routable addresses on public networks such as the internet. In particular, NAT is a method of connecting multiple computers to the internet (or any other IP network) using one IP address.
NAT complements firewalls to provide an extra measure of security for an organization’s internal network. Usually, hosts from inside the protected networks, which have private addresses, are able to communicate with the outside world, but systems that are located outside the protected network have to go through the NAT boxes to reach internal networks. Moreover, NAT enables an organization to use fewer IP addresses, which helps confusing attackers about which particular host they are targeting.
Personal firewalls are software-based firewalls installed on each computer in the network. They work in much the same way as larger border firewalls — they filter out certain packets to prevent them from leaving or reaching your system. The need for personal firewalls is often questioned, especially in corporate networks, which have large dedicated firewalls that keep potentially harmful traffic from reaching internal computers. However, that firewall can’t do anything to prevent internal attacks, which are quite common and often very different from the ones from the internet; attacks that originate within a private network are usually carried out by viruses. So, instead of disabling personal firewalls, simply configure a standard personal firewall according to your organization’s needs and export those settings to the other personal firewalls.
Record suspicious logins and other computer events and look for anomalies. This best practice will help you reconstruct what happened during an attack so you can take steps to improve your threat detection process and quickly block attacks in the future. However, remember that attackers are clever and will try to avoid detection and logging. They will attack a sacrificial computer, perform different actions and monitor what happens in order to learn how your systems work and what thresholds they need to stay below to avoid triggering alerts.
Limiting users to browsing only the websites you’ve explicitly approved helps in two ways. First, it limits your attack surface. If users cannot go to untrusted websites, they are less vulnerable. It’s a solid solution for stopping initial access via the web. Second, whitelisting limits hackers’ options for communication after they compromise a system. The hacker must use a different protocol, compromise an upstream router, or directly attack the whitelisting mechanism to communicate. Web domain whitelisting can be implemented using a web filter that can make web access policies and perform web site monitoring.
All outbound web access should be routed through an authenticating server where access can be controlled and monitored. Using a web proxy helps ensure that an actual person, not an unknown program, is driving the outbound connection. There can be up-front work required to reconfigure the network into this architecture, but once done, it requires few resources to maintain. It has practically no impact on the user base and therefore is unlikely to generate any pushback. It raises the level of operational security since there is a single point device that can be easily monitored.
A honeypot is a separate system that appears to be an attractive target but is in reality a trap for attackers (internal or external). For example, you might set up a server that appears to be a financial database but actually has only fake records. Using a honeypot accomplishes two important goals. First, attackers who believe they have found what they are looking for will leave your other systems alone, at least for a while. Second, since honeypots are not real systems, no legitimate users ever access it and therefore you can turn on extremely detailed monitoring and logging there. When an attacker does access it, you’ll be gathering an impressive amount of evidence to aid in your investigation.
A honeynet is the next logical extension of a honeypot — it is a fake network segment that appears to be a very enticing target. Some organizations set up fake wireless access points for just this purpose.
To deal with insider threats, you need both prevention and detection strategies. The most important preventive measure is to establish and enforce the least-privilege principle for access management and access control. Giving users the least amount of access they need to do their jobs enhances data security, because it limits what they can accidentally or deliberately access and ensures that is their password is compromised, the hacker doesn’t have all keys to the kingdom. Other preventative measures include system hardening, anti-sniffing networks and strong authentication. Detection strategies include monitoring users and networks and using both network- and host-based intrusion detection systems, which are typically based on signatures, anomalies, behavior or heuristics.
End users also need to be trained in how to deal with the security threats they face, such as phishing emails and attachments. The best security in the world can be undermined by end users who fail to follow security policies. However, they cannot really be expected to follow those policies without adequate training.
You should monitor the use of different protocol types on your network to establish baselines both the organization level and a user level. Protocol baselining includes both wired and wireless networks. Data for the baseline should be obtained from routers, switches, firewalls, wireless APs, sniffers and dedicated collectors. Protocol deviations could indicate tunneling information or the use of unauthorized software to transmit data to unknown destinations.
A virtual private network (VPN) is a secure private network connection across a public network. For example, VPNs can be used to connect LANs together across the internet. With a VPN, the remote end appears to be connected to the network as if it were connected locally. A VPN requires either special hardware or VPN software to be installed on servers and workstations. VPNs typically use a tunneling protocol, such as Layer 2 Tunneling Protocol, IPSec or Point-to-Point Tunneling Protocol (PPTP). To improve security, VPNs usually encrypt data, which can make them slower than normal network environments.
In addition to diversity of controls, you should strive for diversity of vendors. For example, to defend against malware, you should have antimalware software on each of your computers, as well as on the network and at the firewall — and use software from different vendors for each of these places. Because each vendor uses the same malware detection algorithms in all its products, if your workstation, network and firewall antimalware solutions all come from vendor A, then anything missed by one product will be missed by all three. The best approach is to use vendor A for the firewall antimalware, vendor B for the network solution, and vendor C to protect individual computers. The probability of all three products, created by different vendors and using different detection algorithms, missing a specific piece of malware is far lower than any one of them alone missing it.
An IDS can be an important and valuable part of your network security strategy. To get the most value from your IDS, take advantage of both ways it can detect potentially malicious activities:
Many network devices and software solutions can be configured to automatically take action when an alarm is triggered, which dramatically reduces response time. Here are the actions you can often configure:
Physical controls should be established and security personnel should ensure that equipment and data do not leave the building. Moreover, direct access to network equipment should be prohibited for unauthorized personnel.