Lect 7

Module-2
Security Device Management

Module-2: Security Device Management
• Different types of information security devices

and their functions,
• Technical and configuration specifications,
architecture concepts
• Design patterns and how these contribute to
the security of design and devices.
Types of information security devices
• Access control
• Antivirus and anti-malware software
• Application security
• Behavioral analytics
• Data loss prevention
• Distributed denial of service prevention
• Email security
• Firewalls
• Mobile device security
• Network segmentation
• Security information and event management
• Web security
• Access control
– This refers to controlling which users have access
to the network or especially sensitive sections of
the network. Using security policies, you can
restrict network access to only recognized users
and devices or grant limited access to
noncompliant devices or guest users.
• Antivirus and anti-malware software
– Malware, or “malicious software,” is a common form
of cyber attack that comes in many different shapes
and sizes.
– Some variations work quickly to delete files or
corrupt data, while others can lie dormant for long
periods of time and quietly allow hackers a back door
into your systems.
– The best antivirus software will monitor network
traffic in real time for malware, scan activity log files
for signs of suspicious behavior or long-term
patterns, and offer threat remediation capabilities.
• Application security.
– Each device and software product used within your
networking environment offers a potential way in for
hackers.
– For this reason, it is important that all programs be
kept up-to-date and patched to prevent cyber
attackers from exploiting vulnerabilities to access
sensitive data.
– Application security refers to the combination of
hardware, software, and best practices you use to
monitor issues and close gaps in your security
coverage.
• Behavioral analytics
– In order to identify abnormal behavior, security
support personnel need to establish a baseline of
what constitutes normal behavior for a given
customer’s users, applications, and network.
– Behavioral analytics software is designed to help
identify common indicators of abnormal behavior,
which can often be a sign that a security breach has
occurred.
– By having a better sense of each customer’s
baselines, MSPs can more quickly spot problems and
isolate threats.
• Data loss prevention

– Data loss prevention (DLP) technologies are those
that prevent an organization’s employees from
sharing valuable company information or sensitive
data—whether unwittingly or with ill intent—
outside the network.
– DLP technologies can prevent actions that could
potentially expose data to bad actors outside the
networking environment, such as uploading and
downloading files, forwarding messages, or
printing.
• Distributed denial of service prevention

– Distributed denial of service (DDoS) attacks are
becoming increasingly common.
– They function by overloading a network with one-
sided connection requests that eventually cause
the network to crash.
– A DDoS prevention tool scrubs incoming traffic to
remove nonlegitimate traffic that could threaten
your network, and may consist of a hardware
appliance that works to filter out traffic before it
reaches your firewalls.
• Email security
– Email is an especially important factor to consider when
implementing networking security tools.
– Numerous threat vectors, like scams, phishing, malware, and
suspicious links, can be attached to or incorporated into emails.
– Because so many of these threats will often use elements of
personal information in order to appear more convincing, it is
important to ensure an organization’s employees undergo
sufficient security awareness training to detect when an email
is suspicious.
– Email security software works to filter out incoming threats and
can also be configured to prevent outgoing messages from
sharing certain forms of data.
• Firewalls
– Firewalls are another common element of a
network security model.
– They essentially function as a gatekeeper between
a network and the wider internet.
– Firewalls filter incoming and, in some cases,
outgoing traffic by comparing data packets against
predefined rules and policies, thereby preventing
threats from accessing the network.
• Mobile device security

– The vast majority of us have mobile devices that
carry some form of personal or sensitive data we
would like to keep protected.
– This is a fact that hackers are aware of and can
easily take advantage of. Implementing mobile
device security measures can limit device access
to a network, which is a necessary step to
ensuring network traffic stays private and doesn’t
leak out through vulnerable mobile connections.
• Network segmentation
– Dividing and sorting network traffic based on
certain classifications streamlines the job for
security support personnel when it comes to
applying policies.
– Segmented networks also make it easier to assign
or deny authorization credentials for employees,
ensuring no one is accessing information they
should not be.
– Segmentation also helps to sequester potentially
compromised devices or intrusions.

– These security systems (called SIEMs) combine
host-based and network-based intrusion detection
systems that combine real-time network traffic
monitoring with historical data log file scanning to
provide administrators with a comprehensive
picture of all activity across the network.
https://
www.sciencedirect.com/science/article/pii/S138912
8621001237

– An IPS can also log security events and send
notifications to the necessary players in the
interest of keeping network administrators
informed.
• Web security
– Web security software serves a few purposes.
– First, it limits internet access for employees, with
the intention of preventing them from accessing
sites that could contain malware.
– It also blocks other web-based threats and works
to protect a customer’s web gateway.
Configuring Firewall
• What firewall software does?
– A firewall is simply a program or hardware device
that filters the information coming through the
internet connection into your private network or
computer system.
– If an incoming packet of information is flagged by
the filters, it is not allowed through.
– Let's say that you work at a company with 500 employees.
The company will therefore have hundreds of computers
that all have network cards connecting them together. In
addition, the company will have one or more connections
to the internet through something like T1 or T3 lines.
– Without a firewall in place, all of those hundreds of
computers are directly accessible to anyone on the
internet. A person who knows what he or she is doing can
probe those computers, try to make FTP connections to
them, try to make telnet connections to them and so on. If
one employee makes a mistake and leaves a security hole,
hackers can get to the machine and exploit the hole.
 With a firewall in place, the landscape is much
different. A company will place a firewall at every
connection to the internet (for example, at every T1
line coming into the company).
 The firewall can implement security rules. For
example, one of the security rules inside the company
might be:
 Out of the 500 computers inside this company, only
one of them is permitted to receive public FTP traffic.
 Allow ftp connections only to that one computer and
prevent them on all others.
• Firewalls use one or more of three methods to
control traffic flowing in and out of the
network:
Packet filtering
Proxy service
Stateful inspection
• Packet Filtering
– Packets (small chunks of data) are analyzed
against a set of filters. Packets that make it through
the filters are sent to the requesting system and all
others are discarded.
• Proxy service
Information from the internet is retrieved by the
firewall and then sent to the requesting system and
vice versa.
• Stateful Inspection
 A newer method that doesn't examine the contents of
each packet but instead compares certain key parts
of the packet to a database of trusted information.
 Information traveling from inside the firewall to the
outside is monitored for specific defining
characteristics, then incoming information is
compared to these characteristics.
 If the comparison yields a reasonable match, the
information is allowed through. Otherwise it is
discarded.
Working of firewall
Firewall SOFTWARE CONFIGURATION
• Firewalls are customizable. This means that

you can add or remove filters based on several
conditions. Some of these are:
IP addresses
Domain names
Protocols
• IP addresses
Each machine on the Internet is assigned a unique
address called an IP address. IP addresses are 32-
bit numbers, normally expressed as four "octets" in
a "dotted decimal number."
A typical IP address looks like this: 216.27.61.137.
For example, if a certain IP address outside the
company is reading too many files from a server,
the firewall can block all traffic to or from that IP
address.
• Domain names
 As it is hard to remember the string of numbers that
make up an IP address, and because IP addresses
sometimes need to change, all servers on the Internet
also have human-readable names, called domain names
 For example, it is easier for most of us to remember
www.howstuffworks.com than it is to remember
216.27.61.137.
 A company might block all access to certain domain
names, or allow access only to specific domain names.
• Protocols
 The protocol is the pre-defined way that someone who
wants to use a service talks with that service.
 The "someone" could be a person, but more often it is a
computer program like a Web browser.
 Protocols are often text, and simply describe how the client
and server will have their conversation.
 The http in the Web's protocol.
 A company might set up only one or two machines to
handle a specific protocol and ban that protocol on all other
machines.
• Protocols
– Some common protocols that you can set firewall
filters for include:
 IP (Internet Protocol)
 TCP (Transmission Control Protocol)
 HTTP (Hyper Text Transfer Protocol)
 FTP (File Transfer Protocol)
 UDP (User Datagram Protocol) teletype network
 ICMP (Internet Control Message Protocol)
 SMTP (Simple Mail Transport Protocol)
 SNMP (Simple Network Management Protocol)
 Telnet (Teletype Network)
Why Firewall Security?
• Access or abuse of unprotected computers
– There are many creative ways that unscrupulous people use to access
or abuse unprotected computers:
 Remote login
 Application backdoors
 SMTP session hijacking
 Operating system bugs
 Denial of service
 E-mail bombs
 Macros
 Viruses
 Spam
 Redirect bombs
 Source routing
• Remote Login
When someone is able to connect to your
computer and control it in some form.
This can range from being able to view or access
your files to actually running programs on your
computer.
• Application backdoors
Some programs have special features that allow for
remote access.
Others contain bugs that provide a backdoor, or
hidden access that provides some level of control
of the program.
• SMTP session hijacking
SMTP is the most common method of sending e-
mail over the Internet.
By gaining access to a list of e-mail addresses, a
person can send unsolicited junk e-mail (spam) to
thousands of users.
This is done quite often by redirecting the e-mail
through the SMTP server of an unsuspecting host,
making the actual sender of the spam difficult to
trace.
• Operating system bugs
Like applications, some operating systems have
backdoors.
Others provide remote access with insufficient
security controls or have bugs that an experienced
hacker can take advantage of.
• Denial of service
This type of attack is nearly impossible to counter.
What happens is that the hacker sends a request to
the server to connect to it.
When the server responds with an
acknowledgement and tries to establish a session,
it cannot find the system that made the request. By
inundating a server with these unanswerable
session requests, a hacker causes the server to slow
to a crawl or eventually crash.
• E-mail bombs
An e-mail bomb is usually a personal attack.
Someone sends you the same e-mail hundreds or
thousands of times until your e-mail system cannot
accept any more messages.
• Macros
To simplify complicated procedures, many
applications allow you to create a script of
commands that the application can run. This script
is known as a macro.
Hackers have taken advantage of this to create
their own macros that, depending on the
application, can destroy your data or crash your
computer.
• Viruses
Probably the most well-known threat is computer
viruses.
A virus is a small program that can copy itself to
other computers. This way it can spread quickly
from one system to the next. Viruses range from
harmless messages to erasing all of your data.
• Spam
Typically, harmless but always annoying, spam is
the electronic equivalent of junk mail.
Spam can be dangerous though.
Quite often it contains links to Web sites.
Be careful of clicking on these because you may
accidentally accept a cookie that provides a
backdoor to your computer.
• Redirect bombs
Hackers can use ICMP to change (redirect) the
path information takes by sending it to a different
router.
This is one of the ways that a denial of service
attack is set up.
• Source routing
In most cases, the path a packet travels over the
Internet (or any other network) is determined by
the routers along that path.
But the source providing the packet can arbitrarily
specify the route that the packet should travel.
Hackers sometimes take advantage of this to make
information appear to come from a trusted source
or even from inside the network! Most firewall
products disable source routing by default.
• Security against unauthorized access or abuse
 Some of the items in the list above are hard, if not impossible, to filter
using a firewall.
 While some firewalls offer virus protection, it is worth the investment
to install anti-virus software on each computer.
 The level of security you establish will determine how many of these
threats can be stopped by your firewall.
 You can also restrict traffic that travels through the firewall so that only
certain types of information, such as e-mail, can get through.
 This is a good rule for businesses that have an experienced network
administrator that understands what the needs are and knows exactly
what traffic to allow through.
 one of the best things about a firewall from a security standpoint is that
it stops anyone on the outside from logging onto a computer in your
private network.
Proxy Servers and DMZ
• There are times that you may want remote
users to have access to items on your network.
Some examples are:
Web site
Online business
FTP download and upload area
Proxy Servers and DMZ
 DMZ is just an area that is outside the firewall.
 Think of DMZ as the front yard of a house.
 It belongs to the owner, who may put some things there, but
would put anything valuable inside the house where it can be
properly secured.
 Setting up a DMZ is very easy.
 If you have multiple computers, you can choose to simply
place one of the computers between the Internet connection
and the firewall. Most of the software firewalls available will
allow you to designate a directory on the gateway computer
as a DMZ.
Configuring a Simple Firewall
 The Cisco 1800 integrated services routers support network
traffic filtering by means of access lists.
 The router also supports packet inspection and dynamic
temporary access lists by means of Context- Based Access
Control (CBAC).
 Basic traffic filtering is limited to configured access list
implementations that examine packets at the network layer
or, at most, the transport layer, permitting or denying the
passage of each packet through the firewall.
 However, the use of inspection rules in CBAC allows the
creation and use of dynamic temporary access lists.
 These dynamic lists allow temporary openings in the
configured access lists at firewall interfaces.
 These openings are created when traffic for a specified user
session exits the internal network through the firewall.
 The openings allow returning traffic for the specified session
(that would normally be blocked) back through the firewall.
 See the Cisco IOS Security Configuration Guide, Release 12.3
, for more detailed information on traffic filtering and
firewalls.
 The following Figure shows a network deployment using
PPPoE or PPPoA with NAT and a firewall.
•
Point-to-Point Protocol over Ethernet (PPPoE)
is a network protocol that facilitates
communication between network endpoints.
PPPoE encapsulates Point-to-Point Protocol
(PPP) frames inside Ethernet frames, offering
the same benefits as PPP, while providing
connectivity across Ethernet networks.
• Point to Point Protocol over Ethernet (PPPoE)
is a type of broadband connection that
provides authentication (username and
password) in addition to data transport. Most
DSL providers use PPPoE to establish Internet
connections for customers.
Is PPPoE a VPN?
• when you use a VPN with PPPoE, you are able
to prevent an ISP from monitoring your DSL
connection since ISPs commonly use deep
packet inspection to analyze your Internet
traffic and limit your bandwidth.
PPPoE Vs PPPoA
http
://www.differencebetween.net/technology/inte
rnet/difference-between-pppoe-and-pppoa/#ixz
z7MLQp8ozr
• The following Figure shows a network
deployment using PPPoE or PPPoA with NAT
and a firewall.
1. Multiple networked devices—Desktops, laptop PCs,
switches
2. Fast Ethernet LAN interface (the inside interface for
NAT)
3. PPPoE or PPPoA client and firewall implementation—
Cisco 1811/1812 or Cisco 1801/1802/1803 series
integrated services router, respectively
4. Point at which NAT occurs
5. Protected network
6. Unprotected network
7. Fast Ethernet or ATM WAN interface (the outside
interface for NAT)
 In the configuration example that follows, the
firewall is applied to the outside WAN interface
(FE0) on the Cisco 1811 or Cisco 1812 and
protects the Fast Ethernet LAN on FE2 by
filtering and inspecting all traffic entering the
router on the Fast Ethernet WAN interface FE1.
 Note that in this example, the network traffic
originating from the corporate network, network
address 10.1.1.0, is considered safe traffic and is
not filtered.
Configure Access Lists
Perform these steps to create access lists for use by the firewall, beginning in
global configuration mode:
 Step 1
Command
access-list access-list-number {deny | permit} protocol
source source-wildcard [ operator [port]] destination
Example
Router(config)# access-list 103 permit host 200.1.1.1 eq
isakmp any
Router(config)#
Purpose
Creates an access list which prevents

Internet- initiated traffic from reaching
the local (inside) network of the router,
and which compares source and
destination ports. See the Cisco IOS IP
Command
Configure Access Lists
 Step 2
Command
access-list access-list-number {deny | permit} protocol
source source-wildcard destination destination-wildcard
Example
Router(config)# access-list 105 permit ip 10.1.1.0 0.0.0.255
192.168.0.0 0.0.255.255
Router(config)#
Purpose
Creates an access list that allows

network traffic to pass freely
between the corporate network
and the local networks through
the configured VPN tunnel.
Configure Inspection Rules
Perform these steps to configure firewall inspection rules for all TCP and UDP
traffic, as well as specific application protocols as defined by the security policy,
beginning in global configuration mode:
 Step 1
Command
ip inspect name inspection-name protocol
Example
Router(config)# ip inspect
name firewall tcp
Router(config)#
Purpose
Defines an inspection rule for a

particular protocol.
Apply Access Lists and Inspection Rules to
Interfaces
Perform these steps to apply the ACLs and inspection rules to the network
interfaces, beginning in global configuration mode:
Step 1
Command
interface type number
Example
Purpose
Router(config)# interface vlan 1
Router(config-if)# Enters interface configuration
mode for the inside network
interface on your router.
Interfaces
 Step 2
Command
ip inspect inspection-name { in | out }
Example
Router(config-if)# ip inspect firewall in
Router(config-if)#
Purpose
Assigns the set of firewall

inspection rules to the inside
interface on the router.
Interfaces
Step 3
Command
Exit
Example
Router(config-if)# exit
Router(config)#
Purpose
Returns to global configuration

mode.
Interfaces
 Step 4
Command
interface type number
Example
Router(config)# interface fastethernet 0
Router(config-if)#
Purpose
Enters interface configuration

mode for the outside network
interface on your router.
Interfaces
Step 5
Command
ip access-group { access-list-number
| access-list-name } { in | out }
Example
Router(config-if)# ip access-group 103
in Purpose
Router(config-if)#
Assigns the defined ACLs to the
outside interface on the router..
Interfaces
 Step 6
Command
exit
Example Purpose
Router(config-if)# exit
Router(config)# Returns to global configuration
mode.
 Step 2
Configure Inspection Rules
Command
ip inspect name inspection-name protocol
Example
name firewall rtsp
name firewall h323
Router(config)# ip inspect Purpose
name firewall netshow
Router(config)# ip inspect Repeat this command for each
name firewall ftp inspection rule that you wish to
Router(config)# ip inspect use.
name firewall sqlnet
Router(config)#
Firewall Limitations
 A firewall is a crucial component of securing your

network and is designed to address the issues of
data integrity or traffic authentication (via stateful
packet inspection) and confidentiality of your
internal network (via NAT).
 Your network gains these benefits from a firewall
by receiving all transmitted traffic through the
firewall.
The importance of including a firewall in your security

strategy is apparent; however, firewalls do have the following
limitations:
 A firewall cannot prevent users or attackers with modems
from dialing into or out of the internal network, thus
bypassing the firewall and its protection completely.
 Firewalls cannot enforce your password policy or prevent
misuse of passwords. Your password policy is crucial in
this area because it outlines acceptable conduct and sets
the ramifications of noncompliance.
 Firewalls are ineffective against nontechnical security risks
such as social engineering.
 Firewalls cannot stop internal users from
accessing websites with malicious code,
making user education critical.
 Firewalls cannot protect you from poor
decisions.
 Firewalls cannot protect you when your
security policy is too lax.

Lect 7

Uploaded by

Copyright:

Available Formats

Lect 7

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lect 7

Uploaded by

Copyright:

Available Formats

Module-2

Security Device Management

• Different types of information security devices

• Data loss prevention

• Distributed denial of service prevention

• Mobile device security

• Security information and event management

• Security information and event management

• Firewalls are customizable. This means that

Creates an access list which prevents

Creates an access list that allows

Defines an inspection rule for a

Assigns the set of firewall

Returns to global configuration

Enters interface configuration

 A firewall is a crucial component of securing your

The importance of including a firewall in your security

You might also like