Common Threats and Vulnerabilities

This section illuminates the various threats and vulnerabilities that networks face. It explores the risks of malware, phishing attacks, social engineering, and insecure network configurations. Understanding these threats is essential for designing effective security measures to counteract them.

As cyber threats continue to evolve, advanced security technologies are gaining importance. We have Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Security Information and Event Management (SIEM) tools. Exploring these technologies helps organizations avoid potential attacks and quickly respond to security incidents.

Different Network Security Layers

Design and implementing a network security architecture is a composite of different technologies working at different network security layers in your infrastructure, spanning on-premises and in the cloud. So, we can have other point systems operating at the network security layers or look for an approach where each network security device somehow works holistically. These are the two options. Whichever path of security design you opt for, you will have the same network security components carrying out their security function, either virtual or physical, or a combination of both.

Platform and Point Solution Approach

However, there will be a platform-based or individual point solution approach. Some of the traditional security functionality that has been around for decades, such as firewalls, are still widely used, along with new ways to protect, especially regarding endpoint protection.

Related: For pre-information, you may find the following post helpful:

1. Dynamic Workload Scaling
2. Stateless Networking
3. Cisco Secure Firewall
4. Data Center Security 
5. Network Connectivity
6. Distributed Systems Observability
7. Zero Trust Security Strategy
8. Data Center Design Guide

Knowledge Check: Network Security Components

♦ Introducing the network security components

Network security is a critical aspect of any organization’s IT infrastructure. It involves safeguarding the network from unauthorized access, data breaches, and other security threats. Implementing various network security components is required to achieve this goal.

1. Firewalls:

Firewalls are one of the most essential network security components. They monitor and control incoming and outgoing network traffic based on predefined security rules. Firewalls can be hardware-based or software-based and are designed to prevent unauthorized access to the network.

Firewalls act as the first line of defense in network security. They monitor and control incoming and outgoing network traffic based on predetermined security rules. By filtering out unauthorized access attempts and malicious traffic, firewalls help prevent unauthorized access to the network infrastructure.

2. Intrusion Detection and Prevention Systems (IDPS):

IDPS is a security system that monitors network traffic for signs of unauthorized access, misuse, or malicious activity. It can detect and prevent network attacks by analyzing traffic, identifying suspicious activity patterns, and responding to security threats.

An Intrusion Detection System detects and alerts network administrators about any unauthorized or suspicious activities within a network. It monitors network traffic, analyzes patterns, and compares potential security breaches against known attack signatures or behavior anomalies.

3. Virtual Private Networks (VPNs):

VPNs establish secure connections between remote users and the corporate network. They use encryption and tunneling protocols to ensure that data transmitted between the remote user and the network is secure and cannot be intercepted by unauthorized users.

VPNs provide secure remote connectivity by creating a private and encrypted connection over a public network. By encrypting data and establishing secure tunnels, VPNs ensure the confidentiality and integrity of transmitted information, making them essential for secure remote access and site-to-site connectivity.

1st Lab Guide: IPsec Site-to-Site VPN

IPsec VPN

Site-to-site IPsec VPNs are used to “bridge” two distant LANs together over the Internet. Generally, on the LAN, we use private addresses, so the two LANs cannot communicate without tunneling. In the following lab guide, I have configured IKEv1 IPsec between two Cisco ASA firewalls to bridge two LANs.

Note:

In the pkts encapsulated and encapsulated, we have incriminating packets. This is from the ping ( IMCP ) traffic. We also lost the first packet because ARP performs its role in the background when the ping is sent from R1.

We can also have a VPN with MPLS. Now, this is common in the service-provided environment. Again, we have a combination of protocols such as BGP, LDP, and an IGP. The P nodes in the MPLS network below have no information on the CE routes. However, the CE routers are reachable and can ping each other. This provides a BGP-free core enabling VPN across the service provider infrastructure.

4. Network Access Control (NAC):

NAC is a security solution that controls network access based on predefined policies. It ensures that only authorized users and devices can access the network and comply with the organization’s security policies.

5. Antivirus and Antimalware Software:

Antivirus and antimalware software are essential network security components. They protect the network from malware, viruses, and other malicious software by scanning for and removing any threats detected on the network.

Antivirus and antimalware software protect against malicious software (malware) that can compromise network security. These software solutions scan files and applications for known malware signatures or suspicious behavior, enabling proactive detection and removal of potential threats.

6. Secure Sockets Layer/Transport Layer Security (SSL/TLS):

SSL/TLS protocols provide secure communication over the internet by encrypting data exchanged between a client and a server. These protocols ensure that data transmitted between the two parties remain confidential and tamper-proof, making them vital for secure online transactions and communication.

7. Access Control Systems:

Access control systems regulate and manage user access to network resources. By implementing authentication mechanisms, such as usernames, passwords, or biometric authentication, access control systems ensure that only authorized individuals can access sensitive information, reducing the risk of unauthorized access.

8. Data Loss Prevention (DLP) Systems:

DLP systems monitor and prevent the unauthorized transfer or disclosure of sensitive data. By identifying and classifying sensitive information, DLP systems enforce policy-based controls to prevent data breaches, ensuring compliance with data protection regulations,

9. Network Segmentation:

Network segmentation involves dividing a network into multiple smaller subnetworks to isolate and contain potential security threats. By limiting the impact of an attack on a specific segment, network segmentation enhances security and reduces the risk of lateral movement within a network.

10. Security Information and Event Management (SIEM) Systems:

SIEM systems collect, analyze, and correlate security event logs from various network devices, servers, and applications. By providing real-time monitoring and threat intelligence, SIEM systems enable early detection and response to security incidents, enhancing overall network security posture.

11. Security Policies and Procedures:

Comprehensive security policies and procedures are crucial for maintaining a secure network environment. These policies define acceptable use, access controls, incident response, and other security practices that guide employees in adhering to best security practices.

2nd Lab Guide: Port Scanning

Port Scanning with Netcat

In the following guide, we will look at Netcat, which can be used for security scanning. Netcat, often called “nc,” is a command-line tool that facilitates data connection, transfer, and manipulation across networks. Initially developed for Unix systems, it has since been ported to various operating systems, including Windows. Netcat operates in a client-server model, allowing users to establish connections between two or more machines.

Note:

To familiarize yourself with the configuration and commands, type nc -h to display the manual. In the following screenshot, you can see the options that are available to you. This shows the various choices you can use with the tool and the command syntax to invoke it.

Test Netcat to ensure connectivity between the Ubuntu Desktop and the Target Machine. The target’s IP address is 192.168.18.131, another Ubuntu test network host. Type nc -vz 192.168.18.131 22 to attempt to open a connection from the Ubuntu Desktop to the Target Machine over port 22.

Next, we will create a script to make it more dynamic. Essentially, we are creating a port scanning with a bash script. The script now asks you to type in the IP address to scan manually. This allows you to use the same script and give it different inputs each time it’s run instead of modifying the script contents for each scan conducted.

Take note of the two scripts created below.

Back to Basics: Security Components

The value of network security 

Network security is essential to any company or organization’s data management strategy. It is the process of protecting data, computers, and networks from unauthorized access and malicious attacks. Network security involves various technologies and techniques, such as firewalls, encryption, authentication, and access control.

Firewalls help protect a network from unauthorized access by preventing outsiders from connecting to it. Encryption protects data from being intercepted by malicious actors. Authentication verifies a user’s identity, and access control manages who has access to a network and their access type.

Understanding Encryption

Encryption is a method of encoding information so that only authorized parties can access and understand it. It involves transforming plain text into a scrambled form called ciphertext using complex algorithms and a unique encryption key.

The Role of Encryption in Data Security

Encryption is a robust shield that protects our data from unauthorized access and potential threats. It ensures that even if data falls into the wrong hands, it remains unreadable and useless without the corresponding decryption key.

Types of Encryption Algorithms

Various encryption algorithms are used to secure data, each with its strengths and characteristics. From the widely-used Advanced Encryption Standard (AES) to the asymmetric encryption of RSA, these algorithms employ different mathematical techniques to encrypt and decrypt information.

Understanding Authentication

Authentication, at its core, is the process of verifying the identity of an individual or entity. It serves as a gatekeeper, granting access only to authorized users. By confirming a user’s authenticity, businesses and organizations can protect against unauthorized access and potential security breaches.

The Importance of Strong Authentication

In an era of rising cyber threats, weak authentication measures can leave individuals and organizations vulnerable to attacks. Strong authentication is a crucial defense mechanism, ensuring only authorized users can access sensitive information or perform critical actions. It prevents unauthorized access, data breaches, identity theft, and other malicious activities.

Common Authentication Methods

There are several widely used authentication methods, each with its strengths and weaknesses. Here are a few examples:

1. Password-based authentication: This is the most common method where users enter a combination of characters as their credentials. However, it is prone to vulnerabilities such as weak passwords, password reuse, and phishing attacks.

2. Two-factor authentication (2FA): This method adds an extra layer of security by requiring users to provide a second form of authentication, such as a unique code sent to their mobile device. It significantly reduces the risk of unauthorized access.

3. Biometric authentication: Leveraging unique physical or behavioral traits like fingerprints, facial recognition, or voice patterns, biometric authentication offers a high level of security and convenience. However, it may raise privacy concerns and can be susceptible to spoofing attacks.

Enhancing Authentication with Multi-factor Authentication (MFA)

Multi-factor authentication (MFA) combines multiple authentication factors to strengthen security further. By utilizing a combination of something the user knows (password), something the user has (smartphone or token), and something the user is (biometric data), MFA provides an additional layer of protection against unauthorized access.

Understanding Authorization

Authorization is the gatekeeper of access control. It determines who has the right to access specific resources within a system. By setting up rules and permissions, organizations can define which users or groups can perform certain actions, view specific data, or execute particular functions. This layer of security ensures that only authorized individuals can access sensitive information, reducing the risk of unauthorized access or data breaches.

Granular Access Control

One key benefit of authorization is the ability to apply granular access control. Rather than providing unrestricted access to all resources, organizations can define fine-grained permissions based on roles, responsibilities, and business needs. This ensures that individuals only have access to the necessary resources to perform their tasks, minimizing the risk of accidental or deliberate misuse of data.

Role-Based Authorization

Role-based authorization is a widely adopted approach that simplifies access control management. Organizations can streamline the process of granting and revoking access rights by assigning roles to users. Roles can be structured hierarchically, allowing for easy management of permissions across various levels of the organization. This not only enhances security but also simplifies administrative tasks, as access rights can be managed at a group level rather than individually.

Authorization Policies and Enforcement

Organizations need to establish robust policies that govern access control to enforce authorization effectively. These policies define the rules and conditions for granting or denying resource access. They can be based on user attributes, such as job title or department, and contextual factors, such as time of day or location. By implementing a comprehensive policy framework, organizations can ensure access control aligns with their security requirements and regulatory obligations.

3rd Lab Guide: Generic Firewalling

Firewall and Cisco ACI

The following is a typical firewalling setup. I’m using Cisco ASA; however, all firewalls, regardless of vendor, work with security zones. We will have internal, external, and DMZ in a distinctive firewall design. R1 is internal, R3 is DMZ, and R2 is external. This does direct traffic flow as R2 cannot communicate with R1 and R3 by default. However, it can communicate with R3 and R2.

Note:

The Cisco ASA Firewall uses so-called “security levels” that indicate how trusted an interface is compared to another. The higher the security level, the more trusted the interface is. Each interface on the ASA is a security zone, so using these security levels gives us different trust levels for our security zones.

An interface with a high-security level can access an interface with a low-security level. Still, the other way around is impossible unless we configure an access list that permits this traffic. In the screenshot below, we have NAT configured, and the internal address of R1 is translated to 192.168.2.196. This is known as Dynamic NAT, and it is configured with ASA Object Groups.

Firewall security policy

A firewall is an essential part of an organization’s comprehensive security policy. A security policy defines the goals, objectives, and procedures of security, all of which can be implemented with a firewall. There are many different firewalling modes and types.

However, generally, firewalls can focus on the packet header, the packet payload (the essential data of the packet), or both, the session’s content, the establishment of a circuit, and possibly other assets. Most firewalls concentrate on only one of these. The most common filtering focus is on the packet’s header, with the packet’s payload a close second.

Firewalls come in various sizes and flavors. The most typical firewall is a dedicated system or appliance that sits in the network and segments an “internal” network from the “external” Internet.

The primary difference between these two types of firewalls is the number of hosts the firewall protects. Within the network firewall type, there are primary classifications of devices, including the following:

• • Packet-filtering firewalls (stateful and nonstateful)
  • Circuit-level gateways
  • Application-level gateways

3rd Lab Guide: Dynamic NAT on ASA Firewall

In this lab guide, I will address Dynamic NAT on the ASA firewall. Below, I am using the Cisco Modeling lab. In the middle, we have our ASA; its G0/0 interface belongs to the inside, and the G0/1 interface belongs to the outside. I’m using routers so that I have something to connect to.

Note: Unlike dynamic PAT, which is dynamic NAT with overload, dynamic NAT features no overload functionality in its most basic form. Whereby each global IP address is mapped to a single local IP address. Firstly, we have Dynamic NAT without fallback and Dynamic NAT with fallback. In this diagram below, if we use Dynamic NAT without fallback when all hosts on the 192.168.1.0 subnet try to access the outside network, we will run out of IP addresses in the public pool. The router R1 has several loopbacks, and I will telnet from each loopback as the source interface.

You can enable NAT fallback if you want. This means that when the public pool runs out of IP addresses, we will use the IP address on the outside interface (192.168.2.254) for translation. 

The result is that when the packet passes through the ASA, the port fields are left untouched, and only the IP addresses are translated. This has significant consequences for matching traffic. You could quickly run out of IP addresses in the translation pool.

Network security operating at different network security layers

We have several network security components from the endpoints to the network edge, be it a public or private cloud. Policy and controls are enforced at each network security layer, giving adequate control and visibility of threats that may seek to access, modify, or break a network and its applications. Firstly, network security is provided from the network: your IPS/IDS, virtual firewalls, and distributed firewalls technologies.

Second, some network security, known as endpoint security, protects the end applications. Of course, you can’t have one without the other, but if you were to pick a favorite, it would be endpoint security.

Remember that most of the network security layers in the security architecture I see in many consultancies are distinct. There may even be a different team looking after each component. This has been the case for a while, but there needs to be some integration between the layers of security to keep up with the changes in the security landscape.

WAN security with Cisco DMVPN

DMVPN: A Routing Technique.

Cisco DMVPN (Dynamic Multipoint Virtual Private Network) is a widely used technology connecting multiple sites and remote users to a central location. While DMVPN offers many benefits, such as scalability, flexibility, and ease of deployment, it is also essential to consider security.
Here are some best practices for DMVPN security:

• • Authentication: DMVPN should always use authentication to ensure that only authorized users can access the network. Authentication mechanisms such as passwords, digital certificates, and tokens can secure the network.
  • Encryption: Encryption algorithms such as AES and 3DES should be used to protect data transmitted over DMVPN.
  • Firewall: DMVPN should be deployed with a firewall to prevent unauthorized access to the network. The firewall should be configured to allow only necessary traffic to pass through.
  • Access Control: Access control should be implemented to restrict access to sensitive data. Mechanisms such as role-based access control (RBAC) can ensure that only authorized users can access sensitive data.
  • Logging and Monitoring: Logging and monitoring are critical to detect and respond to security incidents. DMVPN should be configured to log all network traffic and events, and monitoring tools should be used to detect any unusual activity.

4th Lab Guide: DMVPN

DMVPN Network

In the following lab guide, we have a DMVPN network. The DMVPN network has created a group of technologies working together, such as GRE for tunneling and NHRP and mapping interfaces to tunnel endpoints.  In our case, we are running an earlier version of DMVPN with DMVPN phase 1.

We know this as we have a point-to-point GRE tunnel. DMVPN phase 3, which allows dynamic spoke-to-spoke tunnels from R2 and R3, would use mGRE. By default, DMVPN does not have built-in security. Security can be provided with IPsec. Here, you will see the command on the spoke sites: tunnel protection ipsec profile DMVPN_IPSEC_PROFILE.

Network Security Challenges

Multi-cloud

The applications now are diverse. We have container based virtualization that can be hosted in both on-premises and cloud locations, enabling hybrid and multi-cloud environments that need to be protected. Native security controls in the public cloud are insufficient. For a start, security groups (SGs) in one public cloud do not span multiple clouds without some other technologies set that can sit in front of the two clouds, enabling a secure multi-cloud. 

Multi cloud Terraform

The challenge with the cloud is that dynamic infrastructure means infinite volume. However, multi-cloud deployments add complexity because each provider has its interfaces, tools, and workflows. You may have the option to deploy across multiple clouds consistently with Terraform. Terraform lets you use the same workflow to manage multiple providers and handle cross-cloud dependencies. This simplifies management and orchestration for large-scale, multi-cloud infrastructures.

Changes in perimeter location and types

We also know this new paradigm spreads the perimeter, potentially increasing the attack surface with many new entry points. For example, if you are protecting a microservices environment, each unit of work represents a business function that needs security. So we now have many entry points to cover, moving security closer to the endpoint.

 A recommended starting point: Enforcement with network security layers

So, we need a multi-layered approach to network security that can implement security controls at different points and network security layers. With this approach, we are ensuring a robust security posture regardless of network design. Therefore, the network design should become irrelevant to security. The network design can change; for example, adding a different cloud should not affect the security posture. The remainder of the post will discuss the standard network security component.

Network Security Components

Step1: Access control 

Firstly, we need some access control. This is the first step to security. Bad actors are not picky about location when launching an attack. An attack can come from literally anywhere and at any time. Therefore, network security starts with access control carried out with authentication, authorization, accounting (AAA), and identity management.

Authentication proves that the person or service is who they say they are. Authorization allows them to carry out tasks related to their role. Identity management is all about managing the attributes associated with the user, group of users, or another identity that may require access. The following figure shows an example of access control. More specifically, network access control.

Identity-centric access control

It would be best to have an identity based on logical attributes, such as the multi-factor authentication (MFA), transport layer security (TLS) certificate, the application service, or a logical label/tag. Be careful when using labels/tags when you have cross-domain security.

So, policies are based on logical attributes rather than using IP addresses to base policies you may have used. This ensures an identity-centric design around the user identity, not the IP address.

Once initial security controls are passed, a firewall security device ensures that the users can only access services they are allowed to. These devices decide who gets access to which parts of the network. The network would be divided into different zones or micro-segments depending on the design. Adopting micro-segments is more granular regarding the difference between micro-segmentation and micro-segmentation.

Dynamic access control

Access control is the most critical component of an organization’s cybersecurity protection. For too long, access control has been based on static entitlements. Now, we are demanding dynamic access control, with decisions made in real-time. Access support must support an agile IT approach with dynamic workloads across multiple cloud environments.

A pivotal point to access control is that it is dynamic and real-time, constantly accessing and determining the risk level. Thereby preventing unauthorized access and threats like a UDP scan. We also have zero trust network design tools, such as single packet authentication (SPA), that can keep the network dark until all approved security controls are passed. Once security controls are passed, access is granted.

Network Security Components | Network Security Layers

Step2: The firewall and firewall design locations

A firewalling strategy can offer your environment different firewalls, capabilities, and defense-in-depth levels. Each firewall type positioned in other parts of the infrastructure forms a security layer, providing a defense-in-depth and robust security architecture. At a high level, there are two firewalling types: internal, which can be distributed among the workloads, and border-based firewalling.

Firewalling at the different network security layers

The different firewall types offer capabilities that begin with basic packet filters, reflexive ACL, stateful inspection, and next-generation features such as micro-segmentation and dynamic access control. These can take the form of physical or virtualized.

Firewalls purposely built and designed for a particular role should not be repurposed to carry out the functions that belong to and are intended to be offered by a different firewall type. The following diagram lists the different firewall types. Around nine firewall types work at different layers in the network.

The Edge Firewall

Macro segmentation

The firewall monitors and controls the incoming and outgoing network traffic based on predefined security rules. It establishes a barrier between the trusted network and the untrusted network. The firewall commonly inspects Layer 3 to Layer 4 at the network’s edge. In addition, to reduce hair pinning and re-architecture, we have internal firewalls. We can put an IPD/IDS or an AV on an edge firewall.

In the classic definition, the edge firewall performs access control and segmentation based on IP subnets, known as macro segmentation. Macro segmentation is another term for traditional network segmentation. It is still the most prevalent segmentation technique in most networks and can have benefits and drawbacks.

Same segment, same sensitivity level 

It is easy to implement but ensures that all endpoints in the same segment have or should have the same security level and can talk freely, as defined by security policy. We will always have endpoints of similar security levels, and macro segmentation is a perfect choice. Why introduce complexity when you do not need to?

Micro-segmentation

The same edge firewall can be used to do more granular segmentation; this is known as micro-segmentation. In this case, the firewall works at a finer granularity, logically dividing the data center into distinct security segments down to the individual workload level, then defining security controls and delivering services for each unique segment. So, each endpoint has its segment and can’t talk outside that segment without policy. However, we can have a specific internal firewall to do the micro-segmentation.

Cisco ACI and microsegmentation

Some micro-segmentation solutions could be Endpoint Groups (EPGs) with the Cisco ACI and ACI networks. ACI networks are based on ACI contracts that have subjects and filters to restrict traffic and enable the policy. Within the Endpoint Groups, traffic is unrestricted; however, we need an ACI contract for traffic to cross EPGs.

Internal Firewalls 

Internal firewalls inspect higher up in the application stack and can have different types of firewall context. They operate at a workload level, creating secure micro perimeters with application-based security controls. The firewall policies are application-centric, purpose-built for firewalling east-west traffic with layer 7 network controls with the stateful firewall at a workload level. 

Virtual firewalls and VM NIC firewalling

I often see virtualized firewalls here, and the rise of virtualization internal to the network has introduced the world of virtual firewalls. Virtual firewalls are internal firewalls distributed close to the workloads. For example, we can have the VM NIC firewall. In a virtualized environment, the VM NIC firewall is a packet filtering solution inserted between the VM Network Interfaces card of the Virtual Machines (VM) and the virtual hypervisor switch. All traffic that goes in and out of the VM has to pass via the virtual firewall.

Web application firewalls (WAF)

We could use web application firewalls (WAF) for application-level firewalls. These devices are similar to reverse proxies that can terminate and initiate new sessions to the internal hosts. The WAF has been around for quite some time to protect web applications by inspecting HTTP traffic.

However, they have the additional capability to work with illegal payloads that can better identify destructive behavior patterns than a simple VM NIC firewall.

WAFs are good at detecting static and dynamic threats. They protect against common web attacks, such as SQL injection and cross-site scripting, using pattern-matching techniques against the HTTP traffic. Active threats have been the primary source of threat and value a WAF can bring.

Network Security Components

Step3: The load balancer

A load balancer is a device that acts as a reverse proxy and distributes network or application traffic across several servers. This allows organizations to ensure that their resources are used efficiently and that no single server is overburdened. This can improve the running applications’ performance, scalability, and availability.

Load balancing and load balancer scaling refer to efficiently distributing incoming network traffic across a group of backend servers, also known as a server farm or pool. For security, a load balancer has some capability and can absorb many attacks, such as a volumetric DDoS attack. Here, we can have an elastic load balancer running in software.

So it can run in front of a web property and load balance between the various front ends, i.e., web servers. If it sees an attack, it can implement specific techniques. So, it’s doing a function beyond the load balancing function and providing a security function.

Network Security Components

Step4: The IDS 

Traditionally, the IDS consists of a sensor installed on the network that monitors traffic for a set of defined signatures. The signatures are downloaded and applied to network traffic every day. Traditional IDS systems do not learn from behaviors or other network security devices over time. The solution only looks at a specific time, lacking an overall picture of what’s happening on the network.

They operate from an island of information, only examining individual packets and trying to ascertain whether there is a threat. This approach results in many false positives that cause alert fatigue. Also, when a trigger does occur, there is no copy of network traffic to do an investigation. Without this, how do you know the next stage of events? Working with IDS, security professionals are stuck with what to do next.

• A key point: IPS/IDS  

Then we have the IPS/IDS. An example would be IDS IPS Azure.

An intrusion detection system (IDS) is a security system that monitors and detects unauthorized access to a computer or network. It also monitors communication traffic from the system for suspicious or malicious activity and alerts the system administrator when it finds any. An IDS aims to identify and alert the system administrator of any malicious activities or attempts to gain unauthorized access to the system.

An IDS can be either a hardware or software solution or a combination. It can detect various malicious activities, such as viruses, worms, and malware. It can also see attempts to access the system, steal data, or change passwords. Additionally, an IDS can detect any attempts to gain unauthorized access to the system or other activities that are not considered standard.

The IDS uses various techniques to detect intrusion. These techniques include signature-based detection, which compares the incoming traffic against a database of known attacks; anomaly-based detection, which looks for any activity that deviates from normal operations; and heuristic detection, which uses a set of rules to detect suspicious activity.

Firewalls and static rules

Firewalls use static rules to limit network access to prevent access but don’t monitor for malicious activity. An IPS/IDS examines network traffic flows to detect and prevent vulnerability exploits. The classic IPS/IDS is typically deployed behind the firewall and does protocol analysis and signature matching on various parts of the data packet.

The protocol matching is, in some sense, a compliance check against the publicly declared spec of the protocol. We are doing basic protocol checks if someone abuses some of the tags. Then, the IPS/IDS uses signatures to prevent known attacks. For example, an IPS/IDS uses a signature to prevent you from doing SQL injections. 

Move security to the workload.

Like the application-based firewalls, the IPS/IDS functionality at each workload ensures comprehensive coverage without blind spots. So, as you can see, the security functions are moving much closer to the workloads, bringing the perimeter from the edge to the workload.

Network Security Components

Step5: Endpoint Security

Endpoint security is an integral part of any organization’s security strategy. It involves the protection of endpoints, such as laptops, desktops, tablets, and smartphones, from malicious activity. Endpoint security protects data stored on devices and the device itself from malicious code or activity.

Endpoint security includes various measures, including antivirus and antimalware software, application firewalls, device control, and patch management. Antivirus and antimalware software detect and remove malicious code from devices. Application firewalls protect by monitoring incoming and outgoing network traffic and blocking suspicious activity. Device control ensures that only approved devices can be used on the network. Finally, patch management ensures that devices are up-to-date with the latest security patches.

Network detection and response 

Then, we have the network detection and response solutions. The Network detection and response (NDR) solutions are designed to detect cyber threats on corporate networks using machine learning and data analytics. They can help you discover evidence on the network and cloud of malicious activities that are in progress or have already occurred.

Some of the analyses promoting the NDR tools are “Next-Gen IDS.”  One significant difference between NDR and old IDS tools is that NDR tools use multiple Machine Learning (ML) techniques to identify normal baselines and anomalous traffic rather than static rules or IDS signatures, which have trouble handling dynamic threats. The following figure shows an example of a typical attack lifecycle.

Anti-malware gateway

Anti-malware gateway products have a particular job. They look at the download, then take the file and try to open it. Files are put through a sandbox to test whether they contain anything malicious—the bad actors who develop malware test against these systems before releasing the malware. Therefore, the gateways often lag one step behind. Also, anti-malware gateways are limited in scope and not focused on anything but malware.

Endpoint detection and response (EDR) solutions look for evidence and effects of malware that may have slipped past EPP products. EDR tools also detect malicious insider activities such as data exfiltration attempts, left-behind accounts, and open ports. Endpoint security has the best opportunity to detect several threats. It is the closest to providing a holistic offering. It is probably the best point solution, but remember, it is just a point solution. 

• A key point: DLP security 

By monitoring the machine and process, endpoint security is there for the long haul instead of assessing a file on a once-off basis. It can see when malware is executing and then implement DLP. Data Loss Prevention (DLP) solutions are security tools that help organizations ensure that sensitive data such as Personally Identifiable Information (PII) or Intellectual Property (IP) does not get outside the corporate network or to a user without access. However, endpoint security does not take sophisticated use cases into account. For example, it doesn’t care what you print or what Google drives you share. 

• A key point: Endpoint security and correlation?

In general, endpoint security does not do any correlation. For example, let’s say there is a .exe that connects to the database; there is nothing on the endpoint to say that it is a malicious connection. Endpoint security finds distinguishing benign from legitimate hard unless there is a signature. Again, it is the best solution, but it is not a managed service or has a holistic view. 

The issue with point solutions

The security landscape is constantly evolving. To have any chance, security solutions also need to grow. There needs to be a more focused approach, continually developing security in line with today’s and tomorrow’s threats. For this, it is not to continuously buy more point solutions that are not integrated but to make continuous investments to ensure the algorithms are accurate and complete. So, if you want to change the firewall, you may need to buy a physical or virtual device.

Complex and scattered

Something impossible to do with the various point solutions designed with complex integration points scattered through the network domain. It’s far more beneficial to, for example, update an algorithm than to update the number of point solutions dispersed throughout the network. The point solution addresses one issue and requires a considerable amount of integration. You must continuously add keys to the stack, managing overhead and increased complexity. Not to mention license costs.

Would you like to buy a car or all the parts?

Let’s consider you are searching for a new car. Would you prefer to build the car with all the different parts or buy the already-built car? If we examine security, the way it has been geared up is provided in detail.

So I have to add this part here and that part there, and none of these parts connect. Each component must be carefully integrated with another. It’s your job to support, manage, and build the stack over time. For this, you must be an expert in all the different parts.

Example: Log management

Let’s examine a log management system that needs to integrate numerous event sources such as firewalls, proxy servers, endpoint detection, and behavioral response solutions. We also have the SIEM. The SIEM collects logs from multiple systems. They present challenges to deploying and require tremendous work to integrate into existing systems. How do logs get into the SIEM when the device is offline?

How do you normalize the data, write the rules to detect suspicious activity, and investigate if there are legitimate alerts? The results you gain from the SIEM are poor, considering the investment you have to make. Therefore, considerable resources are needed to pull it off successfully.

• A keynote: Security controls from the different vendors 

As a final note, consider how you may have to administer the security controls from the different vendors. How do you utilize the other security controls from other vendors, and more importantly, how do you use them adjacent to one another? For example, Palo Alto operates an App-ID, a patented traffic classification system only available in Palo Alto Networks firewalls.

In a network, different vendors will not support this feature. This poses the question: how do I utilize next-generation features from vendors adjacent to devices that don’t support it? Your network needs the ability to support features from one product across the entire network and then consolidate them into one. How do I use all the next-generation features without having one vendor?

• A keynote: Use of a packet broker

However, changing an algorithm that can affect all firewalls in your network would be better. That would be an example of an advanced platform controlling all your infrastructures. Another typical example is a packet broker that can sit in the middle of all these tools. Fetch the data from the network and endpoints and then send it back to our existing security tools. Essentially, this ensures that there are no blind spots in the network.

This packet broker tool should support any workload and be able to send to any existing security tools. Now, we are bringing information from the network into your existing security tools and adopting a network-centric approach to security.