Network security’s purpose is to protect the enterprise network from unauthorized access. Network security examines data traversing the enterprise network to detect intrusions against the network and the computers connected to it. In addition, the network architecture and its defenses can be used to channel user and attacker activity, routing it toward sensors and defensive mechanisms and away from weaknesses and vulnerabilities.
Network security needs to be considered in terms of security controls that include the following:
- Preventive controls such as firewalls that block attacker activity and separate sections of the network from each other.
- Detective controls, such as Intrusion Detection, that detect attacker activity that cannot be blocked.
Monitoring controls that capture activity that is input to correlation engines that support forensics, investigations, and more sophisticated attack detection that considers multiple variables and data sources.
Containment is another important capability that network security can provide. Containment involves isolating attacker activity in one part of the enterprise (for example, end-user workstations or Internet-facing web servers) from other IT functions such as financial systems in order to provide for a layered defense. Similarly, network security can be used to establish compartments in the enterprise that can be used to contain attacks and give defenders opportunities to catch them before they proceed too far.
Network security can also involve filtering and monitoring the network enterprise traffic to block malicious network traffic and to detect attacker network traffic when attacks occur. It used to be that network security was satisfied by simply having a network firewall; today network security includes a long list of services, devices, proxies, and other capabilities that are rapidly changing and evolving.
Network Security: Goal and Objectives
Verizon found that 92% of breaches involved activities perpetrated by outsiders entering an enterprise from the Internet.1 Mandiant has observed that sophisticated attackers can work around multiple layers of network defenses, particularly when computers and servers in the enterprise have Internet access.2 These two factors combine to make network security a central and critical component of successful enterprise IT defense. Network security is also a powerful defensive capability, particularly when it is integrated with other security functional areas creating an integrated defense.
Network security’s goal is to protect the enterprise’s network from use or attack by an adversary. Network security major objectives include the following:
- The preventive objective is to block malicious traffic from passing from one part of the network to another, or channeling that traffic so that it can be detected through other means.
- The detective objective is to monitor and analyze network traffic in order to detect malicious traffic while it is in transit.
- The forensic objective is to log information about network traffic, or possibly all of the network traffic itself, so that the network traffic can be analyzed by detective controls, or to support investigations and audits.
The audit objective involves analyzing network traffic in order to identify malicious activity or to generate artifacts indicating the lack of malicious activity. This activity may be determined by a number of characteristics, including the source and destination addresses, protocols used, timing, or data contained within the traffic.
Network Security: Threat Vectors
Most targeted attacks utilize the network in some way and rely on the network to perpetuate their attack while it is in-progress. Network security threat vectors include the following:
- Attackers enter the enterprise through outbound network connections from servers or clients on the internal network.
- Attackers enter the enterprise through the network connections of Internet-facing servers.
- Attackers use internal networks to move laterally between computers inside the enterprise.
- Attackers use enterprise networks to extract data and remove it from the enterprise.
Attackers take control of network infrastructure components and then leverage them to gain entry to the enterprise or to bypass other security measures.
Network Security: Capabilities
Network security includes a large number of capabilities that should be considered for deployment as part of an integrated security solution. Network security capabilities provide preventive, detective, forensic, and audit functions on the enterprise network. Network security technology or capability is not a “silver bullet” that will satisfy all cybersecurity requirements. However, an integrated set of capabilities can block, detect, and intercept many potential attacks.
Following are some network security capabilities. Appendix C provides detailed descriptions for these capabilities.
- Switches and routers
- Software Defined Networking (SDN)
- Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP)
- Network Time Protocol (NTP)
- Network service management
- Firewall and virtual machine firewall
- Network Intrusion Detection/Network Intrusion Prevention System (IDS/IPS)
- Wireless networking (Wi-Fi)
- Packet intercept and capture
- Secure Sockets Layer (SSL) intercept
- Network Access Control (NAC)
- Virtual Private Networking (VPN) and Internet Protocol Security (IPSec)
- Network Traffic Analysis (NTA)
- Network Data Analytics (NDA)
Network security makes a network safe from cyberattacks. More specifically, this functional area provides for the security of enterprise networks, their services, and access to them from the Internet and internally connected devices. Network security needs to be considered in terms of preventive, detective, and monitoring controls.
NS-01: Switches and Routers
Switches and routers are the building blocks of an information technology network. Protection of these critical infrastructure components (logical and physical) is one the important capabilities of a security framework.
NS-02: Software Defined Networking (SDN)
Software Defined Networking provides a greater flexibility in deployment and management of the networking devices (routers, switches, and so on). Along with these operational benefits, it provides better control over data flows, helping administrators thwart various denial of service attacks.
NS-03: Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP)
The domain name system translates hostnames to IP addresses so names can be used when referring to unique addresses on the Internet. Protection mechanisms to protect against internal and Internet DNS attacks (for example, DNS poisoning) are required in a network.
NS-04: Network Time Protocol (NTP)
To record timestamps in security audit logs and systems logs, all information systems must synchronize their clocks to a master clock. This synchronization helps to ensure accuracy of the audit logs and aid in event correlation. Network time protocol can be utilized for this purpose.
NS-05: Network Service Management
Network management infrastructure frequently uses secure shell (SSH) and simple network management protocol (SNMP) to manage networking components at the enterprise level. These components must be hardened to protect them from attack and abuse.
NS-06: Firewall and Virtual Machine Firewall
Firewalls are utilized to restrict access from one network to another and enforce enterprise specific policies of acceptable actions on the network. A common firewall application is to separate an enterprise’s internal network from the Internet. There are various types of firewalls (for example, packet filtering, stateful firewalls, and application proxy firewalls). As more and more information systems are virtualized, host-based or VM-based firewalls are used to isolate various VMs running on the same host.
NS-07: Network Intrusion Detection / Network Intrusion Prevention System (IDS / IPS)
Network intrusion detection systems (IDS) continuously scan the network and incoming data traffic for malicious activities. IDS logs malicious events in a security log to investigate a malicious session after the fact. Network intrusion prevention (IPS) enforces predefined network policies to prevent malicious events from taking place. Some of the commercially available products combine IDS and IPS into a single system referred to as intrusion detection and prevention system (IDPS).
NS-08: Wireless Networking (Wi-Fi)
Wireless technology enables devices to connect to a private network or the Internet without needing physical cables. Because wireless communications can be listened to by anyone within range, wireless networks are vulnerable to snooping, monitoring, and unauthorized connection. This capability involves securing wireless networking against potential attack.
NS-09: Packet Intercept and Capture
Network packet intercept and capture is a process of capturing and examining traffic on a network segment. This process examines protocols and their content for appropriateness. The captured information is logged for further analysis by users or tools. There is a wide variety of packet interceptors available in the market. Network engineers can use network protocol analyzers to understand network performance or read information contained in the data packets.
NS-10: Secure Sockets Layer (SSL) Intercept
With the advent of sophisticated cyberattacks, new products were developed to fill the gap identified in detection of outgoing encrypted traffic. It was long assumed that encrypted traffic originating within the boundaries of an enterprise must be necessary and not warrant further examination. Attackers have taken advantage of this false sense of security. There have been many security incidents where critical data was transmitted to the hacker’s machines via an encrypted channel using a rogue digital certificate. SSL interceptors fill this security gap by examining encrypted connections for malicious traffic. To work, the interceptor needs the current digital certificate from the host to decrypt the traffic.
NS-11: Network Access Control (NAC)
Network access control is a technology that verifies security posture (for example, patching level, malicious software, anti-virus, encryption strength, and so forth) before it grants network access permission. This technology is commonly used in an enterprise’s internal network to keep unauthorized computers from connecting to the enterprise’s network. In some cases, NAC is used as part of a remote access solution, such as virtual private network.
NS-12: Virtual Private Networking (VPN) and Internet Protocol Security (IPSec)
VPN is a technology that provides the ability to extend an enterprise’s internal networking resources
to external or remote users in a secure manner. There are two commonly used protocols to deploy this technology: secure sockets layer (SSL) and IPSec. Both protocols may be combined with two-factor authentication (for example, smart card or public key infrastructure [PKI] token) for authentication and encryption of the communication channel.
NS-13: Network Traffic Analysis (NTA)
Network Traffic Analysis is the examination of the volume of traffic generated. There is no need for in-depth packet inspection. The goal is to monitor the network to determine if there a significant event happening or going to happen based on the network traffic patterns.
NS-14: Network Data Analytics (NDA)
Network Data Analytics analyze network traffic trends, network availability, planned outage impacts, and network traffic. NDA is utilized in combination with other analysis tools to create a comprehensive model of various network threats. NDA’s goal is, in part, to predict the next big network-based attack.
1Verizon Data Breach Investigation Report, 2013. 2Mandiant M-Trends Annual Report, 2013.