Network Security Overview
The Internet and the computer protocols that make it function were not created with security in mind. There was a lot of opportunity for computer criminals often called hackers, to take advantage of network and software insecurities. Today, cyber security which includes internet, network, and software security is one of the fastest growing fields in computer technology. Network professionals have to play catch up to raise their level of knowledge to counteract the advanced level of exploitation tools available to even novice hackers called Script Kiddies. Some of the things a computer network security administrator needs to know today are:
• How to implement an intrusion detection system (IDS)
• How to implement an intrusion prevention system (IPS)
• How to configure standalone and integrated services Firewall devices. This should include packet filtering firewalls, stateful firewalls, and a zone-based firewalls
• How to keep aware of current trends and security threats through Professional Security Organizations
• How to create a Network Security Policy which will define how company and organization employees will access, protect and ensure company data
• How to protect important data through encryption and cryptography
• The characteristics of viruses, worms, and trojan horses and how to defend against them
• The various types of network attacks including reconnaissance, access, and denial of service and how to defend against them
• How to implement a network monitoring system
• How to implement a network backup or accountability system
Today there are a growing number of security organizations dedicated to advancing network security and fighting computer crime. These organizations have attempted to create a structure for cyber security by creating guiding principles and best practices for computer network security administrators and organizations to follow. Many of these security organizations have also created security certifications, websites, classes and traveling seminars to allow security professionals the ability to share information and network with each other. Here is a list of well known security organizations:
- SANS Institute, www.sans.org – an educational security organization offering security certification, training, and classes. Their website has free tools and information, including security related news, and research articles related to network security. Their classes and seminars are offered in a variety of delivery methods in-person, online, etc. and are generally very expensive.
- CERT, www.cert.org – Software Engineering Institute (SEI) at Carnegie Mellon University. Is a federally funded organization dedicated to research and education related to computer network and software security. CERT offers computer security classes to military, government, academic, and industry professionals. The classes are generally very expensive.
- ISC2 – www.isc2.org – an educational security organization offering security related certifications. ISC2 sponsors well known security certifications including the highly acknowledged Certified Information Systems Security Professional (CISSP) certification.
Domains of Network Security
The CCNA Security curriculum mentions the 12 domains of network information security as published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission ISO/IEC 27002. The domains are a code of best practices for information security management. The 12 domains are like questions that every network administrator and IT department should be able to answer:
- Risk assessment – step one analyze what information is at risk.
- Security policy – create a company security policy that defines the rules and expectations for the employees behaviors and access of information.
- Organization of information security – how will the security policy be governed?
- Asset management – how will information assets be inventoried and classified?
- Human resources security – security rules for employees joining, moving or separating from the organization.
- Physical and environmental security – how will the technology be physically protected?
- Communications and operations management – who and what, will manage security controls with regards to the network and information system.
- Access control – who will have access and what will they have access to?
- Information systems acquisition, development and maintenance – how software applications and systems will be integrated into the network with a focus on security?
- Information security incident management – the protocols for anticipating and responding to information security breaches.
- Business continuity management – backup and recovery plans for computer information systems.
- Compliance – how does the company comply with current information security policies, standards, laws and regulations?
Viruses, Worms, and Trojans
- Virus – a computer virus is a malicious program that attaches or embeds itself to a legitimate program, executable file or system file. Once infected the virus attempts to execute and replicate itself across multiple files and even hosts. Viruses variously damage, alter and destroy computer files. Viruses are typically spread by USB thumb drives, and most commonly through email attachments. See: http://en.wikipedia.org/wiki/Computer_virus
- Worm – a computer worm is a malicious program that, when accessed, immediately installs itself in memory and spreads itself across a computer network. Worms do not need to attach themselves to legitimate programs like viruses in order to run. Although a worm does not alter computer files like a virus, they can deliver executable payloads, often back-doors, Trojan horses or simply drain system resources and bandwidth. See: http://en.wikipedia.org/wiki/Computer_worm
- Trojan Horse – a Trojan horse is a computer program that masquerades as a legitimate program, but in actuality does something far different. A common form of Trojan horse is software or malware, that claims to be a legitimate antivirus program, but once downloaded, actually downloads viruses onto a user’s computer. Though Trojan horses do not replicate themselves as a virus does they are often piggy-backed with computer worms in order to spread. See: http://en.wikipedia.org/wiki/Trojan_horse_(computing)
There are five distinct stages in a virus or worm attack. The 5 stages are:
- Probe – involves scanning network hosts for operating system or software vulnerabilities.
- Penetrate – launch an attack or exploit through an attack vector like program buffer overflow, email attachment or malicious webpage code injection.
- Persist – the code may attempt to maintain a level of control over the target system by installing a backdoor or creating additional executable system files that will launch on startup.
- Propagate – in this stage the virus or worm attempts to target additional computer systems in order to expand the number of infected systems.
- Paralyze – viruses will criple or shutdown computer systems by corrupting system files, launching denial of service (DoS) and distributed denial of service (DDoS) attacks, and/or draining system and network resources like CPU time and available bandwidth.
So how does a network administrator defend against viruses, worms and Trojans?
Client or Network based Antivirus Software
The main method of defense against viruses is having up-to-date antivirus software. There are many antivirus providers and some even provide free versions of their software for the home user. Three popular antivirus programs with free versions are AVG, Malwarebytes, and Avast.
Stateful Firewall and Access Lists
Worms attempt to spread across the network, this can happen very quickly, so it makes sense that a good defense against this would be a network firewall device with both inbound and outbound access lists (ACLs).
Host Based Intrusion Prevention System (HIPS)
A network administrator might also look into a Host Based Intrusion Prevention System (HIPS) sometimes called a Host Based Intrusion Detection System (HIDS) to help prevent worms, viruses and various forms of network attack. A host based intrusion detections system is installed on a host or client computer and dynamically monitors the computer for signs of malicious activity, like changes in files size, memory usage, registry changes etc. HIDS can be integrated to work with network antivirus software as well as centralized management and monitoring tools. Cisco Security Agent is a host based intrusion prevention system.
Intrusion Prevention System (IPS)
Inspects packets for crossing the network and compares them against a preloaded database of threat signatures. Can examine packets up to layer 7.
Web and Email Filtering Devices
A proxy web filter compares webpage requests against a database of blacklisted websites and domains and a proxy email filter scans emails for spam and attachment viruses.