Network Security Components
In today’s interconnected world, where information is constantly being transmitted and shared, network security plays a crucial role in safeguarding sensitive data and protecting against cyber threats. This blog post aims to provide a comprehensive overview of the essential components of a robust network security system.
Network security components form the backbone of any robust network security system. By implementing a combination of firewalls, IDS, VPNs, SSL/TLS, access control systems, antivirus software, DLP systems, network segmentation, SIEM systems, and well-defined security policies, organizations can significantly enhance their network security posture and protect against evolving cyber threats.
Highlights: Network Security Components
- Different Network Security Layers
Design and implementing a network security architecture is a composite of different technologies working at different network security layers in your infrastructure, spanning on-premises and in the cloud. So, we can have other point systems operating at the network security layers or look for an approach where each network security device somehow works holistically. These are the two options. Whichever path of security design you opt for, you will have the same network security components carrying out their security function, either virtual or physical, or a combination of both.
- Platform and Point Solution Approach
However, there will be a platform-based or individual point solution approach. However, some of the traditional security functionality that has been around for decades, such as firewalls, are still at large, along with new ways to protect, especially regarding endpoint protection.
Related: For pre-information, you may find the following post helpful:
- Dynamic Workload Scaling
- Stateless Networking
- Cisco Secure Firewall
- Data Center Security
- Network Connectivity
- Distributed Systems Observability
- Zero Trust Security Strategy
- Data Center Design Guide
Network Security Components |
|
Knowledge Check: Network Security Components
Network security is a critical aspect of any organization’s IT infrastructure. It involves safeguarding the network from unauthorized access, data breaches, and other security threats. Implementing network security with various network security components is required to achieve this goal.
1. Firewalls:
Firewalls are one of the most essential network security components. They monitor and control incoming and outgoing network traffic based on predefined security rules. Firewalls can be hardware-based or software-based and are designed to prevent unauthorized access to the network.
Firewalls act as the first line of defense in network security. They monitor and control incoming and outgoing network traffic based on predetermined security rules. By filtering out unauthorized access attempts and malicious traffic, firewalls help prevent unauthorized access to the network infrastructure.
2. Intrusion Detection and Prevention Systems (IDPS):
IDPS is a security system that monitors network traffic for signs of unauthorized access, misuse, or malicious activity. It can detect and prevent network attacks by analyzing traffic, identifying suspicious activity patterns, and responding to security threats.
An Intrusion Detection System detects and alerts network administrators about any unauthorized or suspicious activities within a network. It monitors network traffic, analyzes patterns, and compares potential security breaches against known attack signatures or behavior anomalies.
Network Security | ||
Intrusion Detection and Prevention | Virtual Private Networks | |
Anti Virus | Anti Malware | |
Access Control | Data Loss Prevention | |
SIEM Systems | Effective Security Policy |
3. Virtual Private Networks (VPNs):
VPNs establish secure connections between remote users and the corporate network. They use encryption and tunneling protocols to ensure that data transmitted between the remote user and the network is secure and cannot be intercepted by unauthorized users.
VPNs provide secure remote connectivity by creating a private and encrypted connection over a public network. By encrypting data and establishing secure tunnels, VPNs ensure the confidentiality and integrity of transmitted information, making them essential for secure remote access and site-to-site connectivity.
Lab Guide on IPsec Site-to-Site VPN
IPsec VPN
Site-to-site IPsec VPNs are used to “bridge” two distant LANs together over the Internet. Generally, on the LAN, we use private addresses, so the two LANs cannot communicate without tunneling. In the following lab guide, I have configured IKEv1 IPsec between two Cisco ASA firewalls to bridge two LANs.
Note:
In the pkts encapsulated and encapsulated, we have incriminating packets. This is from the ping ( IMCP ) traffic. We also lost the first packet because ARP performs its role in the background when the ping is sent from R1.
We can also have a VPN with MPLS. Now, this is common in the service-provided environment. Again, we have a combination of protocols such as BGP, LDP, and an IGP. The P nodes in the MPLS network below have no information on the CE routes. However, the CE routers have reachability and can ping each other. This provides a BGP-free core enabling VPN across the service provider infrastructure.
4. Network Access Control (NAC):
NAC is a security solution that controls network access based on predefined policies. It ensures that only authorized users and devices can access the network and comply with the organization’s security policies.
5. Antivirus and Antimalware Software:
Antivirus and antimalware software are essential network security components. They protect the network from malware, viruses, and other malicious software by scanning for and removing any threats detected on the network.
Antivirus and antimalware software protect against malicious software (malware) that can compromise network security. These software solutions scan files and applications for known malware signatures or suspicious behavior, enabling proactive detection and removal of potential threats.
6. Secure Sockets Layer/Transport Layer Security (SSL/TLS):
SSL/TLS protocols provide secure communication over the internet by encrypting data exchanged between a client and a server. These protocols ensure that data transmitted between the two parties remain confidential and tamper-proof, making them vital for secure online transactions and communication.
7. Access Control Systems:
Access control systems regulate and manage user access to network resources. By implementing authentication mechanisms, such as usernames, passwords, or biometric authentication, access control systems ensure that only authorized individuals can access sensitive information, reducing the risk of unauthorized access.
8. Data Loss Prevention (DLP) Systems:
DLP systems monitor and prevent the unauthorized transfer or disclosure of sensitive data. By identifying and classifying sensitive information, DLP systems enforce policy-based controls to prevent data breaches, ensuring compliance with data protection regulations,
9. Network Segmentation:
Network segmentation involves dividing a network into multiple smaller subnetworks to isolate and contain potential security threats. By limiting the impact of an attack to a specific segment, network segmentation enhances security and reduces the risk of lateral movement within a network.
10. Security Information and Event Management (SIEM) Systems:
SIEM systems collect, analyze, and correlate security event logs from various network devices, servers, and applications. By providing real-time monitoring and threat intelligence, SIEM systems enable early detection and response to security incidents, enhancing overall network security posture.
11. Security Policies and Procedures:
Comprehensive security policies and procedures are crucial for maintaining a secure network environment. These policies define acceptable use, access controls, incident response, and other security practices that guide employees in adhering to best security practices.
Lab Guide on Port Scanning
Port Scanning with Netcat
In the following guide, we will look at Netcat, which can be used for security scanning. Netcat, often called “nc,” is a command-line tool that facilitates data connection, transfer, and manipulation across networks. Initially developed for Unix systems, it has since been ported to various operating systems, including Windows. Netcat operates in a client-server model, allowing users to establish connections between two or more machines.
Note:
To familiarize yourself with the configuration and commands, type nc -h to display the manual. In the following screenshot, you can see the options available to you. This shows the various options you can use with the tool and the command syntax to invoke it.
Test Netcat to ensure connectivity between the Ubuntu Desktop and the Target Machine. The target’s IP address is 192.168.18.131, another Ubuntu test network host. Type nc -vz 192.168.18.131 22 to attempt to open a connection from the Ubuntu Desktop to the Target Machine over port 22.
Next, we will create a script to make it more dynamic. Essentially, we are creating a port scanning with a bash script. The script now asks you to type in the IP address to scan manually. This allows you to use the same script and give it different inputs each time it’s run instead of modifying the script contents for each scan conducted.
Take note of the two scripts created below.
Back to Basics: Security Components
The value of network security
Network security is essential to any company or organization’s data management strategy. It is the process of protecting data, computers, and networks from unauthorized access and malicious attacks. Network security involves various technologies and techniques, such as firewalls, encryption, authentication, and access control.
Firewalls help protect a network from unauthorized access by preventing outsiders from connecting to the network. Encryption is used to protect data from being intercepted by malicious actors. Authentication is used to verify a user’s identity, and access control is used to manage who has access to a network and what type of access they have.
Lab Guide: Firewalling
Firewall and Cisco ACI
The following is a typical firewalling setup. I’m using Cisco ASA; however, all firewalls, regardless of vendor, work with security zones. We will have internal, external, and DMZ in a distinctive firewall design. R1 is internal, R3 is DMZ, and R2 is external. This does direct traffic flow as R2 cannot communicate with R1 and R3 by default. However, it can communicate with R3 and R2.
Note:
The Cisco ASA Firewall uses so-called “security levels” that indicate how trusted an interface is compared to another. The higher the security level, the more trusted the interface is. Each interface on the ASA is a security zone, so by using these security levels, we have different trust levels for our security zones.
An interface with a high-security level can access an interface with a low-security level. Still, the other way around is impossible unless we configure an access list that permits this traffic. In the screenshot below, we have NAT configured, and the internal address of R1 is translated to 192.168.2.196. This is known as Dynamic NAT, configured with ASA Object Groups.
Firewall security policy
A firewall is an essential part of an organization’s comprehensive security policy. A security policy defines the goals, objectives, and procedures of security. All of which can be implemented with a firewall. There are many different firewalling modes and firewall types.
However, generally, firewalls can focus on the packet header, the packet payload, which is the essential data of the packet, or both, the session’s content, the establishment of a circuit, and possibly other assets. Most firewalls concentrate on only one of these. The most common filtering focus is on the packet’s header, with the packet’s payload a close second.
Firewalls come in various sizes and flavors. The most typical idea of a firewall is a dedicated system or appliance that sits in the network and segments an “internal” network from the “external” Internet.
The primary difference between these two types of firewalls is the number of hosts the firewall protects. Within the network firewall type, there are primary classifications of devices, including the following:
- Packet-filtering firewalls (stateful and nonstateful)
- Circuit-level gateways
- Application-level gateways
Network security operating at different network security layers
We have several network security components from the endpoints to the network edge, be it a public or private cloud. Policy and controls are enforced at each network security layer, giving adequate control and visibility of threats that may seek to access, modify, or break a network and its applications. Firstly, network security is provided from the network: your IPS/IDS, virtual firewalls, and distributed firewalls technologies.
Second, some network security, known as endpoint security, protects the end applications. Of course, you can’t have one without the other, but if you were to pick a favorite, it would be endpoint security.
Remember that most of these network security layers in most security architecture I see in many consultancies are distinct. There may even be a different team looking after each component. This is how it has been for a while, but there needs to be some integration between the layers of security to be more in line with the changes in the security landscape.
WAN security with Cisco DMVPN
DMVPN: A Routing Technique.
Cisco DMVPN (Dynamic Multipoint Virtual Private Network) is a widely used technology connecting multiple sites and remote users to a central location. While DMVPN offers many benefits, such as scalability, flexibility, and ease of deployment, it is also essential to consider security.
Here are some best practices for DMVPN security:
1. Authentication: DMVPN should always use authentication to ensure only authorized users can access the network. Authentication mechanisms such as passwords, digital certificates, and tokens can be used to secure the network.
2. Encryption: Encryption should be used to protect data transmitted over DMVPN. Encryption algorithms such as AES and 3DES are commonly used to ensure confidentiality.
3. Firewall: DMVPN should be deployed with a firewall to prevent unauthorized access to the network. The firewall should be configured to allow only necessary traffic to pass through.
4. Access Control: Access control should be implemented to restrict access to sensitive data. Access control mechanisms such as role-based access control (RBAC) can ensure that only authorized users can access sensitive data.
5. Logging and Monitoring: Logging and monitoring are critical to detect and respond to security incidents. DMVPN should be configured to log all network traffic and events, and monitoring tools should be used to detect any unusual activity.
Lab Guide on DMVPN
DMVPN Network
In the following lab guide, we have a DMVPN network. The DMVPN network has created a group of technologies working together, such as GRE for the tunneling and NHRP but for mapping interfaces to tunnel endpoints. In our case, we are running an earlier version of DMVPN with DMVPN phase 1.
We know this as we have a point-to-point GRE tunnel. DMVPN phase 3, which allows dynamic spoke-to-spoke tunnels from R2 and R3, would use mGRE. By default, DMVPN does not have built-in security. Security can be provided with IPsec. Here, you will see the command on the spoke sites: tunnel protection ipsec profile DMVPN_IPSEC_PROFILE.
Network Security Challenges
Multi-cloud
The applications now are diverse. We have container based virtualization that can be hosted in both on-premises and cloud locations, enabling hybrid and multi-cloud environments that need to be protected. Native security controls in the public cloud are insufficient. For a start, security groups (SGs) in one public cloud do not span multiple clouds without some other technologies set that can sit in front of the two clouds, enabling a secure multi-cloud.
Multi cloud Terraform
The challenge with the cloud is that dynamic infrastructure means infinite volume. However, multi-cloud deployments add complexity because each provider has its interfaces, tools, and workflows. You may have the option to deploy across multiple clouds with Terraform consistently. Terraform lets you use the same workflow to manage multiple providers and handle cross-cloud dependencies. This simplifies management and orchestration for large-scale, multi-cloud infrastructures.
Changes in perimeter location and types
We also know this new paradigm spreads the perimeter, potentially increasing the attack surface with many new entry points. For example, if you are protecting a microservices environment, each unit of work represents a business function that needs security. So we now have many entry points to cover, moving security closer to the endpoint.
A recommended starting point: Enforcement with network security layers
So, we need a multi-layered approach to network security that can implement security controls at different points and network security layers. With this approach, we are ensuring a robust security posture regardless of network design. Therefore, the network design should become irrelevant to security. The network design can change; for example, adding a different cloud should not affect the security posture. The remainder of the post will discuss the standard network security component.
Network Security Components
Step1: Access control
Firstly, we need some access control. This is the first step to security. Bad actors are not picky about location when launching an attack. An attack can come from literally anywhere and at any time. Therefore, network security starts with access control carried out with authentication, authorization, accounting (AAA), and identity management.
Authentication proves that the person or service is who they say they are. Authorization allows them to carry out tasks related to their role. Identity management is all about managing the attributes associated with the user, group of users, or another identity that may require access. The following figure shows an example of access control. More specifically, network access control.
Identity-centric access control
It would be best to have an identity based on logical attributes, for example, the multi-factor authentication (MFA), transport layer security (TLS) certificate, the application service, or a logical label/tag. Be careful when using labels/tags when you have cross-domain security.
So, policies are based on logical attributes rather than using IP addresses to base policies you may have used. This ensures an identity-centric design around the user identity, not the IP address.
Once initial security controls are passed, a firewall security device ensures that the users can only access services they are allowed to. These devices decide who gets access to which parts of the network. The network would be divided into different zones or micro-segments depending on the design. Adopting micro-segments is more granular regarding the difference between micro-segmentation and micro-segmentation.
Dynamic access control
Access control is the most critical component of an organization’s cybersecurity protection. For too long, access control has been based on static entitlements. Now, we are demanding dynamic access control, with decisions made in real-time. Access support must support an agile IT approach with dynamic workloads across multiple cloud environments.
A pivotal point to access control is that it is dynamic and real-time, constantly accessing and determining the risk level. Thereby preventing unauthorized access and threats like a UDP scan. We also have zero trust network design tools, such as single packet authentication (SPA), that can keep the network dark until all approved security controls are passed. Once security controls are passed, access is granted.
Network Security Components | Network Security Layers
Step2: The firewall and firewall design locations
A firewalling strategy can offer your environment different firewalls, capabilities, and defense-in-depth levels. Each firewall type positioned in other parts of the infrastructure forms a security layer providing a defense-in-depth and robust security architecture. There are two firewalling types at a high level: internal, which can be distributed among the workloads, and border-based firewalling.
Firewalling at the different network security layers
The different firewall types offer capabilities that begin with basic packet filters, reflexive ACL, stateful inspection, and next-generation features such as micro-segmentation and dynamic access control. These can take the form of physical or virtualized.
Firewalls purposely built and designed for a particular type of role should not be repurposed to carry out the functions that belong and are intended to be offered by a different firewall type. The following diagram lists the different firewall types. Around 9 firewall types are working at different layers in the network.
The Edge Firewall
Macro segmentation
The firewall monitors and controls the incoming and outgoing network traffic based on predefined security rules. It establishes a barrier between the trusted network and the untrusted network. The firewall commonly inspects Layer 3 to Layer 4 at the network’s edge. In addition, to reduce hair pinning and re-architecture, we have internal firewalls. We can put an IPD/IDS or an AV on an edge firewall.
But for the classic definition, the edge firewall does access control and segmentation based on IP subnets, known as macro segmentation. Macro segmentation is another term for traditional network segmentation. It is still the most prevalent segmentation technique in most networks and can have benefits and drawbacks.
Same segment, same sensitivity level
It is easy to implement but ensures that all endpoints in the same segment have or should have the same security level and, by security policy, can talk freely. We will always have endpoints of similar security levels, and macro segmentation is a perfect choice. Why introduce complexity when you do not need to?
Micro-segmentation
The same edge firewall can be used to do more granular segmentation; this is known as micro-segmentation. This is where the firewall works at a finer granularity, logically divides the data center into distinct security segments down to the individual workload level, then defines security controls and delivers services for each unique segment. So, each endpoint has its segment and can’t talk outside that segment without policy. However, we can have a specific internal firewall to do the micro-segmentation.
Cisco ACI and microsegmentation
Some micro-segmentation solutions could be Endpoint Groups (EPGs) with the Cisco ACI and ACI networks. ACI networks are based on ACI contracts that have subjects and filters to restrict traffic and enable the policy. Within the Endpoint Groups, traffic is unrestricted; however, we need an ACI contract for traffic to cross EPGs.
Internal Firewalls
Internal firewalls inspect higher up in the application stack and can have different types of firewall context. They operate at a workload level, creating secure micro perimeters with application-based security controls. The firewall policies are application-centric, purpose-built for firewalling east-west traffic with layer 7 network controls with the stateful firewall at a workload level.
Virtual firewalls and VM NIC firewalling
I often see virtualized firewalls here, and the rise of virtualization internal to the network introduces the world of virtual firewalls. The virtual firewalls are the internal firewalls distributed close to the workloads. For example, we can have the VM NIC firewall. In a virtualized environment, the VM NIC firewall is a packet filtering solution inserted between the VM Network Interfaces card of the Virtual Machines (VM) and the virtual hypervisor switch. All traffic that goes in and out of the VM has to pass via the virtual firewall.
Web application firewalls (WAF)
We could use web application firewalls (WAF) for application-level firewalls. These devices are similar to reverse proxies that can terminate and initiate new sessions to the internal hosts. The WAF has been around for quite some time to protect web applications by inspecting HTTP traffic.
However, they have the additional capability to work with illegal payloads that can better identify destructive behavior patterns than a simple VM NIC firewall.
WAF is good at detecting static and dynamic threats. WAFs protected a list of common web attacks, such as SQL injection and cross-site scripting, using pattern-matching techniques against the HTTP traffic. Active threats have been the primary source of threat and value a WAF can bring.
Network Security Components
Step3: The load balancer
A load balancer is a device that acts as a reverse proxy and distributes network or application traffic across several servers. This allows organizations to ensure that their resources are used efficiently and that no single server is overburdened. This can improve the running applications’ performance, scalability, and availability.
Load balancing and load balancer scaling refer to efficiently distributing incoming network traffic across a group of backend servers, also known as a server farm or pool. For security, a load balancer has some capability and can absorb a lot of attacks, such as a volumetric DDoS attack. Here, we can have an elastic load balancer running in software.
So it can run in front of a web property and load balance between the various front ends, i.e., web servers. If it sees an attack, it can implement specific techniques. So, it’s doing a function beyond the load balancing function and providing a security function.
Network Security Components
Step4: The IDS
Traditionally, the IDS consists of a sensor installed on the network that monitors traffic for a set of defined signatures. The signatures are downloaded and applied to network traffic every day. The traditional IDS systems are not learning from behaviors over time or other network security devices. The solution only looks at a specific time, lacking an overall picture of what’s happening on the network.
They operate from an island of information, only examining individual packets and trying to ascertain whether there is a threat. This approach results in many false positives that cause alert fatigue. Also, when a trigger does occur, there is no copy of network traffic to do an investigation. Without this, how do you know the next stage of events? Working with IDS, security professionals are stuck with what to do next.
- A key point: IPS/IDS
Then we have the IPS/IDS. An example would be IDS IPS Azure.
An intrusion detection system (IDS) is a security system that monitors and detects unauthorized access to a computer or network. In addition, it monitors communication traffic from the system for suspicious or malicious activity and alerts the system administrator when it finds any. An IDS aims to identify and alert the system administrator of any malicious activities or attempts to gain unauthorized access to the system.
An IDS can be either a hardware or software solution or a combination. It can detect various malicious activities, such as viruses, worms, and malware. It can also see attempts to access the system, steal data, or change passwords. Additionally, an IDS can detect any attempts to gain unauthorized access to the system or other activities that are not considered standard.
The IDS uses various techniques to detect intrusion. These techniques include signature-based detection, which compares the incoming traffic against a database of known attacks; anomaly-based detection, which looks for any activity that deviates from normal operations; and heuristic detection, which uses a set of rules to detect suspicious activity.
Firewalls and static rules
Firewalls use static rules limiting network access to prevent access but don’t monitor for malicious activity. An IPS/IDS examines network traffic flows to detect and prevent vulnerability exploits. The classic IPS/IDS in most cases is that they have deployed behind the firewall and typically protocol analysis and do signature matching on various parts of the data packet.
The protocol matching is, in some sense, a compliance check against the publicly declared spec of the protocol. We are doing basic protocol checks if someone abuses some of the tags. Then, the IPS/IDS uses signatures to prevent known attacks. For example, an IPS/IDS uses a signature to prevent you from doing SQL injections.
Move security to the workload.
Like the application-based firewalls, the IPS/IDS functionality at each workload ensures comprehensive coverage without blind spots. So, as you can see, the security functions are moving much closer to the workloads, bringing the perimeter from the edge to the workload.
Network Security Components
Step5: Endpoint Security
Endpoint security is an integral part of any organization’s security strategy. It involves the protection of endpoints, such as laptops, desktops, tablets, and smartphones, from malicious activity. Endpoint security protects data stored on devices and the device itself from malicious code or activity.
Endpoint security includes various measures, including antivirus and antimalware software, application firewalls, device control, and patch management. Antivirus and antimalware software detect and remove malicious code from devices. Application firewalls protect by monitoring incoming and outgoing network traffic and blocking suspicious activity. Device control ensures that only approved devices can be used on the network. Finally, patch management ensures that devices are up-to-date with the latest security patches.
Network detection and response
Then, we have the network detection and response solutions. The Network detection and response (NDR) solutions are designed to detect cyber threats on corporate networks using machine learning and data analytics. They can help you discover evidence on the network and cloud of malicious activities that are in progress or have already occurred.
Some of the analyses promoting the NDR tools are “Next-Gen IDS.” One of the significant differences between NDR and old IDS tools is that NDR tools use multiple Machine Learning (ML) techniques to identify normal baselines and anomalous traffic rather than static rules or IDS signatures, which have a troubled time handling dynamic threats. The following figure shows an example of a typical attack lifecycle.
Anti-malware gateway
Anti-malware gateway products have a particular job. They look at the download, then take the file and try to open it. Files are put through a sandbox to test whether they contain anything malicious—the bad actors who develop malware test against these systems before releasing the malware. Therefore, the gateways often lag one step behind. Also, anti-malware gateways are limited in scope and not focused on anything but malware.
Endpoint detection and response (EDR) solutions look for evidence and effects of malware that may have slipped past EPP products. EDR tools also detect malicious insider activities such as data exfiltration attempts, left-behind accounts, and open ports. Endpoint security has the best opportunity to detect several threats. It is the closest to providing a holistic offering. It is probably the best point solution, but remember, it is just a point solution.
- A key point: DLP security
By monitoring the machine and process, endpoint security is there for the long haul instead of assessing a file on a once-off basis. It can see when malware is executing and then implement DLP. Data Loss Prevention (DLP) solutions are security tools that help organizations ensure that sensitive data such as Personally Identifiable Information (PII) or Intellectual Property (IP) does not get outside the corporate network or to a user without access. However, endpoint security does not take into account sophisticated use cases. For example, it doesn’t care what you print or what Google drives you share.
- A key point: Endpoint security and correlation?
In general, endpoint security does not do any correlation. For example, let’s say there is a .exe that connects to the database; there is nothing on the endpoint to say that it is a malicious connection. Endpoint security finds distinguishing benign from legitimate hard unless there is a signature. Again, it is the best solution, but it is not a managed service or has a holistic view.
The issue with point solutions
The security landscape is constantly evolving. To have any chance, security solutions also need to grow. There needs to be a more focused approach, continually developing security in line with today’s and tomorrow’s threats. For this, it is not to continuously buy more point solutions that are not integrated but to make continuous investments to ensure the algorithms are accurate and complete. So, if you want to change the firewall, you may need to buy a physical or virtual device.
Complex and scattered
Something impossible to do with the various point solutions designed with complex integration points scattered through the network domain. It’s far more beneficial to, for example, update an algorithm than to update the number of point solutions dispersed throughout the network. The point solution addresses one issue and requires a considerable amount of integration. You must continuously add keys to the stack, managing overhead and increased complexity. Not to mention license costs.
Would you like to buy a car or all the parts?
Let’s consider you are searching for a new car. Would you prefer to build the car with all the different parts or buy the already-built car? If we examine security, the way it has been geared up is provided in detail.
So I have to add this part here, and that part there, and none of these parts connect. Each component must be carefully integrated with another. It’s your job to support, manage, and build the stack over time. For this, you must be an expert in all the different parts.
Example: Log management
Let’s examine a log management system that needs to integrate numerous event sources such as firewalls, proxy servers, endpoint detection, and behavioral response solutions. We also have the SIEM. The SIEM collects logs from multiple systems. They present challenges to deploying and require tremendous work to integrate into existing systems. How do logs get into the SIEM when the device is offline?
How do you normalize the data, write the rules to detect suspicious activity, and investigate if there are legitimate alerts? The results you gain from the SIEM are poor, considering the investment you have to make. Therefore, considerable resources are needed to pull it off successfully.
- A key note: Security controls from the different vendors
As a final note, consider how you may have to administer the security controls from the different vendors. How do you utilize the other security controls from other vendors, and more importantly, how do you use them adjacent to one another? For example, Palo Alto operates an App-ID, a patented traffic classification system only available in Palo Alto Networks firewalls.
In a network, different vendors will not support this feature. This poses the question: how do I utilize next-generation features from vendors adjacent to devices that don’t support it? Your network needs the ability to support features from one product across the entire network and then consolidate them into one. How do I use all the next-generation features without having one vendor?
- A key point: Use of a packet broker
However, changing an algorithm that can affect all firewalls in your network would be better. That would be an example of an advanced platform controlling all your infrastructures. Another typical example is a packet broker that can sit in the middle of all these tools. Fetch the data from the network and endpoints and then send it back to our existing security tools. Essentially, this ensures that there are no blind spots in the network.
This packet broker tool should support any workload and be able to send to any existing security tools. Now, we are bringing information from the network into your existing security tools and adopting a network-centric approach to security.
- Fortinet’s new FortiOS 7.4 enhances SASE - April 5, 2023
- Comcast SD-WAN Expansion to SMBs - April 4, 2023
- Cisco CloudLock - April 4, 2023