Before I begin, let’s address two obvious questions. Number one, what kind of network are we talking about here? I’m referring to a large or enterprise network. However, you can implement some of these security solutions on your home or SOHO network. Well, maybe you wouldn’t want a network access enterprise server at your home. Number two, how in-depth is this going to be? Not that in-depth. It’ll be pretty basic security solutions; nevertheless, they are all solutions you should know.
The Defense In-Depth Approach
If you’re studying cybersecurity, or are soon going to be studying cybersecurtiy, then you’re certainly going to need to familiarize yourself with the “Defense In-Depth” approach. The Defense In-Depth strategy is a layered approach to security where we are dividing our company into multiple layers of protection. At each layer, we are implementing some form of control(s).
As you can see, the Physical layer will be the physical controls we implement at this layer. For instance, we can use Man traps or card readers at each entrance to the building, door locks, hardware locks, and so on. Let’s go through each layer of this model and identify some of the best security controls we can adopt.
I’m going to list some common security solutions you can implement at each layer.
Policies, Procedures, and Awareness
Policies and procedures – every company, organization, agency, enterprise, or small business has to have these. Depending on the size and reach of your company, you can have just a few important policies to hundreds of policies, all relating to different aspects of security. Procedures are usually included in the policy. For example, you can have a Safety and Emergency policy and inside are the proper procedures for safe evacuation.
Arguably, one of the most important security policies is the “Acceptable Use Policy (AUP).” The AUP defines corporate resources and their acceptable use. The reach of an AUP is broad and it covers areas surrounding proper access to these resources, consent to monitoring, password responsibilities, breaches in confidential and proprietary information, application security, copyright infringement, data ownership, illegal activities, and more. In a nutshell, the AUP is telling employees what they can and cannot do. The AUP will obviously be more complex with larger companies or corporations and some cases even require that you sign the AUP during the on-boarding process.
There’s also the “Network Access Policies (NAP),” which again, branches off into a subset of other “sub-policies.” NAPs define who is authorized to access the company’s network and what they can and cannot do on the network. For example, employees will have to agree that they won’t attempt to access any network resources they are not given permission to access. That means that Joe over in the graphic designing department must not access the RRAS server.
One particular security policy that stands out is the “Password Policy.” Everybody must have a password policy. These policies always specify the minimal requirements of a secure password. For example, passwords must be 10 or more characters, uppercase, lowercase, numbers, and special characters. If you’re in a Windows environment utilizing Active Directory services, administrators can enforce the password policy in every Windows domain. You can also set a password age and history requirement.
The last policy I’ll mention is a “Security Awareness Policy,” which might institute mandatory security awareness training for employees. Every 6 months or every new year, employees may be required to refresh their memory on important security-related topics, ranging from malware prevention, E-mail security, and social engineering. Or, perhaps, the company may release a security newsletter every month that bullet points critical and relevant information in good security practices.
Again, these are just some of the more “basic” and common security policies; however, there are many more that make the list. For example, a few honorable mentions would be the Business Continuity Planning (BCP) policies, Disaster Recovery Policies, Backup policy, Data Retention policy, Change Management Procedure policy, Remote Access policy, and the BYOD policy.
Physical controls are something tangible and are often described as something that does not utilize any form of “technology” in the modern sense of the word. These would be controls placed around the perimeter of the property, such as a fence. Or, if you’d like to be more inviting, you can use bollards. However, one of the more obvious physical security controls are locks. You can place locks on doors, hardware equipment, equipment closets, and data centers. Equipment closets themselves are also considered physical controls. By keeping your network switches, servers, and routers locked in a separate room away from unauthorized persons, you are practicing good physical security.
Physical controls can also be combined with a technological aspect. For example, smart cards are actually a “physical-technical” control. Smart cards might not appear very technological, but they do contain microchips that can be read by a card reader.
Something completely simple and under-appreciated are signs and lighting. Lighting up your back entrances where the dumpsters are may deter cybercriminals from “dumpster diving,” which is the process of digging through a company’s or person’s trash for discarded personal information, such as usernames, passwords, E-mail addresses, confidential information, and contact information. Install lighting in all entrances into a building or secure areas.
There’s also a door access system called a mantrap. It’s a step-down from a biometric access system on a door, but it is designed to prevent “tailgating.” Tailgating occurs when a unauthorized individual “piggy backs” into a building by closely following an authorized individual into a building. A classic tailgating example is when an unauthorized person stands at the door holding a bunch of heavy boxes, maybe donuts “for the staff.” This social engineering tactic takes advantage of other’s kindness and willingness to help others. Any good person would hold the door open for them; however, any security-aware person would request their identification first. Man traps use two doors as the entrance into a secure room or building. Only one door can open at a time.
The perimeter layer isn’t the perimeter of the building, but rather the perimeter of the network. This would be the boundary between the dirty Internet and the clean internal network.
The first and sometimes last line of defense at the edge of your network is a firewall. There are many different types of firewalls, but the one you should use are the third and fourth generation firewalls. These firewalls are “stateful,” meaning they are not only inspecting traffic at layer 2 and 3 of the OSI model, but also higher layers, such as layer 7 (Application). These later generation firewalls are capable of deep packet inspection (DPI) and can keep track of established sessions between two destinations. “Application-level” firewalls, for instance, are “aware” of the applications being used, which was something unseen in the first generation “stateless” firewalls. It’s wise to place firewalls at the edge of your network. All firewalls use an “Access Control List (ACL)” in which a firewall administrators crafts and applies explicit or implicit firewall rules to an interface.
There’s always a discussion in the networking community whether the router or the firewall faces the the WAN/Internet connection. Honestly, there are good arguments on both sides; however, the exact firewall architecture of your perimeter network is going to depend on the the size of your network, the value of the information traveling in-bound/out-bound, bandwidth utilization, and other requirements. Generally speaking, many network techs install a perimeter firewall in an Internet>router>firewall>switch fashion. However, you can also switch the position of the firewall and the router. Often, the firewall will actually be built into the router, but on Enterprise networks, it’s more common to have a standalone firewalling device. There are other firewall setup designs, and some will even have switches in between, but as long as you are properly filtering traffic into and out of your network, it should be fine.
Another device that offers perimeter protection is an “Intrusion Detection System (IDS).” An IDS is a system that “detects” malicious traffic. An IDS can also be “active” or “passive,” but the more common implementation would be the latter. In passive mode, also called “promiscuous” mode, IDS sensors are placed in various locations of the network. If you are placing IDS sensors on the perimeter of your network, you can place them before or after the firewall. If you are interested in capturing all the traffic that comes into your network, place it before the firewall. If you want to examine the traffic that gets filtered by the firewall, then place the IDS sensor after the firewall. It’s also good to place IDS sensors on the same VLANs as critical servers, such as a server farm or DMZ. IDS sensors copy traffic and send a copy of it to a central IDS system for analysis. If suspicious activity is detected, a security administrator can be alerted via E-mail or SMS text message.
And, of course, we can’t forget about “Intrusion Prevention Systems (IPS).” These systems actually “prevent” malicious attacks from occurring on the network. In order to do this, an IPS must sit inline with traffic. An IPS can create “rules” on-the-fly that prevent malicious traffic or they can redirect malicious traffic to a honeynet.
There are several different categories of IDS and IPS, for example, they can be behavior-based, anomaly-based, signature-based, heuristic-based, network-based, and host-based. All IDS and IPS use rules. It’s very similar to the firewall rules in a firewall policy.
Internal Network Security
As for internal network security, you could go beyond perimeter firewall approach. Firewalls aren’t just great for perimeter network security. You can also create locations on your network where Internet-facing servers live. For example, you can have multiple Web servers stationed inside a “dirty” network, referred to as the “Demilitarized Zone” or “DMZ.” The DMZ is a segment of the network where Internet users can access a service in your internal network, without the danger of them reaching internal network resources. The DMZ is protected and created by boundary network firewalls. For example, you can port filter in-bound and out-bound traffic to a Web server inside the DMZ by opening TCP ports 80 (HTTP), or more preferably, TCP port 443 (HTTPS). What ports you need open are ultimately going to depend on what services you have running in the DMZ. If an attack or infection occurs in the DMZ, only the systems inside the DMZ are affected, not the whole internal network.
You can also implement forms of “Network Access Control (NAC).” There are several different NAC implementations I’ve discussed in the past that control network access of internal and remote users, such as Port-based Network Access Control’s (PNAC’s) IEEE 802.1x, RADIUS, TACACS+, and Diameter. These AAA protocols help authenticate users onto the network. Without the correct username and password combination, access to the network and its resources are restricted.
But, these implementations aren’t the only players in NAC. There is also Cisco’s NAC, which stands for “Network Admission Control.” In Cisco’s NAC, you can implement a “Posture Assessment.” In a Posture Assessment, a persistent or non-persistent “agent” is downloaded and installed on a client machine. When the client boots up or wishes to access the network, the agent scans the client machine for things like operating system type, anti-virus software, and available updates. The agent reports this to a Cisco “Access Control Server (ACS).” If the ACS likes the security report of the client, it will grant it access to the network.
Of course, we all know that anti-malware programs can be installed on individual hosts, but they can also be cloud/server-based. With the cloud/server-based anti-malware programs, servers store anti-malware software in a quarantine network or remote location on a local server. If a client machine is deemed a security threat to the network, it can be routed to the quarantine network where it can download the latest version of anti-malware and “clean” the infection.
Encryption! Make sure you are using encrypted channels if you are connecting to a device over the network. Using Telnet instead of SSH is very frowned upon as it passes credentials over the network in clear text. If you need to connect to a remote site or host, be sure to use a VPN. Be careful as some VPN tunnels don’t provide native encryption. For example, an L2TP VPN is a great VPN for connecting site-to-site, but on its own, it provides no encryption. For that reason, it’s common to run an L2TP VPN with something like IPsec. Also, are you using WPA? You shouldn’t! Everyone knows you should use WPA2! Well, actually, WPA2 was recently cracked, but when WPA3 comes out, that’s what you should be using.
Although you can use the following device in multiple in-depth layers, I’ll place it here. A “Unified Threat Management (UTM)” device is a device of unified security solutions. You can think of it as an all-in-one device. It has firewalling, IDS/IPS, content inspection, malware inspection, data protection monitoring, and more. UTM devices may be convenient since they eliminate the need for other security devices; however, if you’re solely relying on a UTM device, it now becomes a single point of failure.
Literally, every computer should be running anti-malware. And these anti-malware programs should be updated for new signatures every day. In the world of cybersecurity, new malware is discovered each day and current malware is always evolving. Most anti-malware programs are signature-based, meaning they contain a database of known malware “profiles.” When the anti-malware program scans the computer, it’s really checking to see if it notices any known malicious code. The downside of these programs is that they require constant updating; otherwise, the program will miss the newest malware seen in the wild. Other options include anomaly- and behavior-based anti-malware, which checks for unusual activities by the system that are deemed unusual.
Ah! You thought we were done with firewalls, didn’t you? Firewalls can also be installed on individual systems. Each computer can possess its own “Host-based Firewall.” Host-based firewalls are a system’s own personal firewall. This is software downloaded on the system and it filters in-bound and out-bound traffic to and from the system based on firewall rules. The “Windows Firewall” is a perfect example of a host-based firewall.
Did you also think we were done with IDS? Yes, an IDS can also be host-based and installed on individual systems.
Regularly scheduled patching and updating is also another way to protect your internal network. This might be more of a maintenance issue, but it becomes more of a security issue when critical vulnerabilities are discovered on your systems, especially “Zero Days,” which are previously unknown major vulnerabilities. When serious vulnerabilities are discovered, we usually “break” from our usual patching schedule and apply an “Out-of-Band (OOB)” patch, such as a vulnerability patch. The bottom line is that keeping your systems patched will benefit your security in the long run.
Eliminating “Single Points of Failure” could also count as an internal security control. For example, if you have one critical node on your network, such as a single file server, you’re taking a big risk. It’s important to implement some redundancy on the file server, or even have one or more redundant file servers as an active or passive backup. In addition, you should have redundant storage on the critical node as hard drives are one of the network resources that fail the most. Implementing “Redundant Arrays of Inexpensive Disks (RAID)” will ensure your data is protected from hard drive failures so long as you are using RAID-1 or higher.
Another topic is “hardening.” When you “harden” a system, you are actually making it harder for cyberattackers to attack your systems. One way of hardening a system is by closing unnecessary ports and services. We have many services running in the background that we don’t need. And if there’s a currently running service, then it might be listening on an open port, which also opens your system up to attack. Cybercriminals query and scan open ports to find services that they can potentially exploit. So, if you don’t need a service, disable it. Disabling the service also closes the port.
And, finally, one of the many host security topics I consider really important is user account management. This topic obviously pairs with access control, the “Least Privilege Principle,” and the “Need to Know Principle.” These principles adopt the security belief that users should only be granted access to rights and permissions they need to perform to do their job, and no more. It also implies that they should not be granted access to information unless it is “needed” to perform their job. This will prevent privilege bloating and malicious insiders that want to steal confidential information. There are many different models of access control, but one of the most popular is Role-BAC. Government agencies, on the other hand, prefer MAC. Another concept of user account management deals with default user accounts. These accounts should always be disabled as they come with inherent permissions not acceptable on a secured network.
Only administrators should be able to determine which applications should be running on a workstation, server, or other system. They have the “smarts” to determine which applications are more secure…not an employee who wants to download an application off the Internet. Administrators can “whitelist” or “blacklist” applications. A whitelist would be a list of approved applications while a “blacklist” would be a list of denied applications. Application whitelisting is the most effective against allowing users to install applications on their computers. The reason is that the only applications that can be installed are in the whitelist. Group Policy allows for whitelisting applications.
Auditing applications on each system also makes a lot of sense. Reviewing an audit can discover unauthorized applications that were undesirably downloaded on the system. In addition, a baseline can be made for an application’s configuration settings, which will help detect any unwanted changes to an application’s configuration. And, of course, we can’t forget to routinely update these applications for any security vulnerabilities.
It also helps to understand advanced application attacks. Some applications are vulnerable to buffer overflow attacks in which the application receives more input than it expects. This attack exposes the system memory where the attacker can execute malicious code. Other applications are vulnerable to different types of injection attacks, such XML and SQL injection. Therefore, it will benefit the security of your network if you know how to keep your applications safe. The overall best defense to these attacks are proper input validation, meaning you restrict unexpected data, such as malicious strings, from being accepted by the application. Another good option is error- and exception-handling, that is, you ensure your applications are not revealing any useful information to attackers when an error occurs, which might assist the attacker in discovering a vulnerability.
Besides the policy aspect of data protection, there are several ways we can protect our data. Data can either be at rest, in transit, or in use. Data at rest would be when data is in storage. We can protect data at rest with encryption. We have various software-based encryption solutions at our disposal, such as TrueCrypt and BitLocker. These solutions may offer file-level encryption or full-disk encryption. There’s also hardware-based encryption, such as the “Trusted Platform Module (TPM),” which is a microchip on your motherboard that locks your hard drive.
The only way to protect data in transit is if you encrypt it. Always use secure tunneling and encryption protocols, such as HTTPS, SSL/TLS, SFTP, FTPS, IPsec, and SSH. As for data in use, encryption is also your best bet.
However, there’s also “Data Loss Prevention (DLP)” techniques. A DLP system can prevent a data leak by being network-based, storage-based, or even endpoint-based. DLP systems inspect data in rest, in transit, or in use, by monitoring outgoing data streams for specific data formats. For example, a DLP system can detect social security numbers if it notices data in the format of “###-##-####.”
And last, but not least, backup your data. There are different backup schedules you can follow, such as differential backups or incremental backups; however, the schedule you follow largely depends on your needs.
When it’s all boiled down, these are just a FEW of the security solutions you can implement on your network. I’ve just pointed out several of the more important solutions. As you continue your studies in cybersecurity, you’ll discover more and more methods to protect your network. And, as time progresses, we will see new upcoming security solutions that revolutionize the network security industry.
Cisco. (2018). Cisco NAC Appliance – Clean Access Manager Configuration Guide, Release 4.8(3). Cisco Systems, Inc.
Gibson, D. (2017). CompTIA SECURITY+ Get Certified Get Ahead SY0401 Study Guide. Virginia Beach, VA: YCDA, LLC
Meyers, M. (2015). All in One CompTIA Network+ Certification Exam N10-006. McGraw-Hill Education: New York, NY.