4. Network Security

Types of Networks

LAN

Local Area Network: Commonly limited geographical area

WAN

Wide Area Network: Long-distance connections between remote networks

Vocab

Hub: Used to connect multiple devices in a network

Switch: Know addresses of those connected with route traffic

Router: Controls traffic flow on networks by determining best "route"

Firewall: Filters traffic on a defined set of rules, ACL's or filters

Server: Provides info to other computers on a network

Endpoint: Ends of a network communication link

IEEE 802.3: Standard that defines wired connections

• Defines way data is formatted over wire so devices can communicate

MAC: Media Access Control: Every device is assigned a MAC address

• First 3 bytes (24 bits): OUI, or vendor ID of the NIC

OSI Model

Divides networking tasks into 7 layers, each responsible for specific tasks

1. Physical

Data converted into binary from electrical signals: Sent across wire

2. Data Link

Hardware: Switches, bridges, WAP frames

3. Network

Routing/Packets

4. Transport

TCP/UDP

5. Session

Data: Logical ports, NetBIOS

6. Presentation

Data: Images

7. Application

Apps

Encapsulation

Encapsulation: Adds header/trailer used at L2-4:

• Data moves DOWN OSI from app to phy

• As data is encapsulated the previous header/payload/footer are treated as the next layer’s payload

• Data unit size increases as we move down

Decapsulation

Decapsulation: Data moves UP OSI from phy to app

• Moving up means smaller data

• Header/footer used to properly interpret data payload/discarded

TCP/IP

1. Application

Defines protocols for transport

2. Transport

Permits data to move among devices

3. Internet

Creates/inserts packets

4. Network Interface

How data moves through network

IPv4

32-bit address space

• Expressed as 4 octets separated by dot [ . ]

• Each octet may have value between 0 - 255

• 0 is network and 255 is for broadcast

Each address subdivided into 2 parts:

1. Network number: Number assigned by external org like ICANN

2. Host: Represents the network interface within the network

Subnet: Networks typically divided into subnets Subnet mask: Defines part of address for subnet in dec 255.255.255.0

IPv4 sub-divided into public/private address ranges Public addresses:

• 10.0.0.0 - 10.255.255.254

• 172.16.0.0 - 172.31.255.254

• 192.168.0.0 - 192.168.255.254

Loopback: First octet of 127 reserved for a loopback: 127.0.0.1

1. Mechanism for self-diagnosis, troubleshooting

2. Allows admins to treat local machine as remote

IPv6

128-bit address space

• IPSec: Improved sec:  Helps ensure integrity/confidentiality of packets

• Improved QoS: Helps services obtain appropriate bandwidth

• 8 groups of 4 digits in hex (0000-ffff) separated by colons [ : ]

Shortened by removing leading 0's at beginning of field and adding :: Loopback: ::1 used the same as 127.0.0.1

Difference between IDS/IPS

• IPS is placed in line with traffic: All traffic must pass through it

• IPS can choose what traffic to forward and what traffic to block

• NIPS: Network-Based IPS

• HIPS: Host-Based IPS Cloud: Usually associated with internet-based set of resources and typically sold as a service

• Provided by a CSP: Cloud Service Provider

Cloud Service Models

SaaS

Software as a Service A model where software apps are hosted by a vendor/CSP

PaaS

Platform as a Service A model customers use to build/operate their own software

• Way to rent hardware, storage and network capacity from a CSP

• Consumer doesn't manage/control underlying infrastructure, network, servers, or storage

IaaS

Infrastructure as a Service Network access to traditional resources such as processing power

Four Cloud Models

Public

Easily accessible. No mechanism other than applying, paying for service

1. Shared resource: Many people use resource pool

2. Deployment: Assets avail to consumers to rent, host by external CSP

3. Service level agreements

Private

Developed/deployed for a private org that builds its own cloud

1. Can create/host private clouds using own resources

2. Deployment model: Cloud-based assets for single org:

   1. Org responsible for all maintenance

3. Can rent resources from 3rd party/split requirements

Hybrid

Combining 2 forms of deployment models, typically public/private

1. Ability to retain control

2. Reusing previous investments in tech within org

3. Control over most critical business components, systems

4. Cost-effective means to fulfilling noncritical business functions

Community

Can be public/private

1. People of like minds can get together, share capabilities and services

Other: MSP

Managed Service Provider: Manages tech assets for another company

• May use to provide network/security monitoring/patching services

• Augment in-house staff for projects, expertise for a product or service

• Payroll services, help desk management, monitor/respond to incidents

• SLA: Service-Level Agreement:

  • Agreement between CSP/customer on cloud

DMZ

Area designed for access by visitors: Isolated from private network

VLAN

Created by switches to logically segment a network without altering physical topology

VPN: Virtual Private Network: Tunnel provides point-to-point transmission of auth/traffic

NAC: Network Access Control: Access through implementation of policy