Documente Academic
Documente Profesional
Documente Cultură
Modern
Network
Security:
Study Guide
for NSE 1
January 1
2015
Fortinet
Network
Security
Solutions
That is the question around which this primer was writtenhelping you learn the background,
processes, capabilities, and questions to consider when configuring your systems and networks to help
analyze, identify, and either allow or block traffic from entering or leaving your computer network in the
dynamic 21st Century information technology environment. In other wordsmodern network security.
Modern network security is comprised of many facets, some of which are in your control, others which
may not be. In an increasingly mobile world, traditional network security measures focused on desktop
platforms and dumbphones are no longer relevant to the world of tablets, phablets, and smartphones.
Because of the constantly changing landscape of network environments, organizations of all sizes and
complexities face challenges in keeping pace with change, developing counters to emerging threats, and
controlling network and security policies. Once the realm of the highly trained and richly resourced,
development of malicious code has become widespread to the degree that school children have been
known to compete with each other in hacking contests. To meet modern and emerging threats,
companies and organizations must adopt dynamic network security programs that keep pace with
changing trends and activities.
Back to the opening question: Should we be letting you in? Peopleor the man-machine interfaceis
the weakest link in any security process. People are easily lulled into a false sense of security about the
effectiveness of passwords and access codes, identity verification, and policies regarding the use of
information technology (IT) systems and networks. It takes just one careless moment to potentially
breach the integrity of protected information and systemsif network security user policies and
protocols are too complicated, compliance is less likely. Because of this human factor it is important to
ensure that network security schema are clear and simple for network administrators and users to
operate, with the necessary complexity to identify, deter, or contain threats being embedded in stateof-the-art hardware and software solutions that are nearly transparent to internal network users.
But a note of cautionjust as every organization is not alike, neither will their networks, hardware,
software, or needs be alike. Each organization needs a customized strategic network security program
tailored to balance its needs against its operating environment, perceived threats, and operating
budget. Of course, the best network security program would be an end-to-end, 24/7 monitored program
with regular analytics informing plan effectiveness and potential enhancementsthis would be the holy
grail of network security. Systems like Fortinets Unified Threat Management (UTM) provide the ability
to balance needs, capabilities, and resources to secure networks while maintaining the ability of the
organization to operate. In essence, this book will help you learn about how to take steps to mitigate
best the threats to your network and optimize network security while balancing those factors.
Threat Landscape
One may view the threat landscape much the same as law enforcement views threats using three
primary characteristicsmotive, means, and opportunity. In terms of technology threats, these terms
are translated into motivation (motive), knowledge (means), and access (opportunity). Motivation may
be as simple as a student trying to get into protected information or as malicious as a competitor trying
to delay or disable a companys ability to reach the market. Knowledge on networksand hackingis
widespread, with books and guides available
globally through the Internet and often at little or
no cost. As for access, this is the area where the
veracity of your network security will pay off
identifying potential threats, analyzing them, and
either determining validity or cataloging and
rejecting them as a threat.
Contemporary and future threat landscapes are dynamic and often include unforeseen technological
advances. Devices and applications are under development and appear on the market at more rapidly
and with those new technologies come new threats. Not only companies and organizations, but
individual users of less expensive technology such as smartphones, tablets, and laptop computers who
are novices where information security is concerned must deal with optimizing their devices and
applications while blocking potential threats. With the explosion of social media as the primary source of
connectivity for so many people internationally, addressing the hidden threats from social media sites is
a continuing challengeand more cross-platform sharing and integration will continue to make device
and network security an evolving challenge at all levels.
10
11
12
13
14
IP Security (IPSec)
Firewall
Intrusion Detection System/Intrusion Prevention System (IDS/IPS)
Antivirus/Antispyware
Web Filtering
Antispam
Traffic Shaping [2]
These functions work together, providing integrated security for the data center, concurrently providing
consolidated, clear control for administrators while presenting complex barriers to potential threats.
Figure 7 shows a notional data center firewall deployment, providing gatekeeper duty, integrated
security solutions (as depicted in Figure 6, above), with simplified control and complex protection.
15
16
17
18
19
20
21
22
23
Figure 14. Examples of businesses using IaaS, PaaS, and SaaS cloud models.
The Shared Security Responsibility (SSR) Model. When using application servicesthe cloudfor
applications and access to databases, these services come with a shared responsibility for security and
operations split between the cloud provider and the cloud tenant. Depending upon which model is
chosen for operationsIaaS, PaaS, or SaaSyour level of security responsibility changes in magnitude.
Referring back to Figure 13, as you relinquish more control of operations and decisionmaking/configuration to the vendor/provider, such as with the SaaS model, your degree of security
responsibility also declines. Conversely, if you decide to retain more management, such as in the IaaS
model, your security responsibility increases in magnitude.
Summary
From an introduction to the current status of computer network options and configurations, to the
challenges posed by evolving technologies and advanced threats, this module has prepared a foundation
for more focused discussion on emerging threats and the development of network security technologies
and processes designed to provide organizations with the tools necessary to defend best against those
threats and continue uninterrupted, secure operations. The next module will focus on the Next
Generation Firewall (NGFW), an evolving technology in network security.
24
Technology Trends
Trends in information technology development and employment over the last 15 years have led to a
need to rethink the methodology behind modern network security. To further exacerbate this challenge,
these trends occurred simultaneously across major industry, all levels of business, and personal
consumer environments.
Consumerization of IT has resulted in IT-enabled devicessuch as
smartphones, digital music and video players, recorders, cameras,
and othersbecoming so commonplace in the market that their
lower pricing resulted in an explosion of individual consumers
acquiring technology-enabled devices for personal use. This extends
beyond the obvious devices listed above. IT-enabled devices now
include such appliances as refrigerator/freezers, home security systems, personal home networks that
include WiFi-enabled televisions, stereos, and even the automated smart house. In other words, what
we have to be mindful of today is the Internet of Things (IoT) when we acquire devices and appliances.
Because consumers have embraced technology devices for both communication and information
sharing, Social Media enterprise has been embraced at the business level as a way to reach consumer
markets and supplement Web and traditional marketing and communication pathways. With so many
applicationsespecially social mediabeing cloud based, the challenge of network security expands
beneath the surface of traffic and into substance.
With the proliferation of inexpensive, technology-enabled devices interacting with business networks
including both external users and those using personal devices for work purposes (Bring Your Own
Device BYOD), the question becomes one of how to provide security, network visibility, control, and
user visibility simultaneously without an exponential increase in required resources (Figure 15).
25
26
NGFW
Gatekeeper
Gatekeeper
Complex Architecture
Integrated Architecture
Complex Control
Simplified Control
NGFW Evolution
Referring to an evolving technology offering high-performance protection, Next Generation Firewalls
(NGFW) provide solutions against a wide range of advanced threats against applications, data, and
users. Going beyond standard firewall protections, NGFW integrate multiple capabilities to combat
advanced and emerging threats. These capabilities include intrusion prevention system (IPS), deep
packet scanning, network application identification and control, and access enforcement based on user
identity verification. Emerging tools include Advanced Threat Protection (ATP) to mitigate multi-vector,
persistent network or system attacks against large and distributed enterprise networks.
27
28
29
30
31
32
Figure 28. Extending FortiGate NGFW with Advanced Threat Protection (ATP).
When integrated with NGFW, capabilities of ATP enhance security by providing additional protections
against evolving threats, including:
Dual-level sandboxing, allowing code activity examination in simulated and virtual environments
to detect previously unidentified threats.
Detailed reporting on system, process, file, and network behavior, including risk assessments.
Secure Web Gateway through adding web filtering, botnet, and call back detection, preventing
communications with malicious sites and IPs.
Option to share identified threat information and receive updated in-line protections.
Option to integrate with other systems to simplify network security deployment.
33
34
35
36
37
NGFW Deployment
Edge vs. Core
When deploying the NGFW, segmentation is a key consideration (see Module 1, page 8), and NGFW
brings a unique combination of hardware- and software-related segmentation capabilities that allow
isolation of critical network sections, such as data centers. Deploying NGFW into an Edge Network
accomplishes the goal of providing control while optimizing critical infrastructure protection (Figure 37).
38
39
Protocol Awareness
Flow-based
Faster
Comparing traffic to database of
known bad situations
TCP flow not broken. Only packet
headers changed if necessary.
Not required
Features supported
Proxy-based
Slower
Conducting specific analysis on
relevant information
TCP convention broken, TCP sequence
numbers changed.
Understands protocol being analyzed
Yes, when buffering, based on available
NGFW memory
Antivirus, DLP, Web Content Filtering,
AntiSpam
Because Flow Mode does not unpack compressed files or email/FTP attachments, deploying antimalware in Flow Mode may result in decreased detection rate.
Summary
The concept of Next Generation Firewalls developed to address evolving threats as technology itself
evolved. With the rapid rise of technology integration, portability and BYOD models in business,
education, and other environments, combined with more widespread ability for hackers from novices to
experts to develop malicious code, a system deriving from the initial premise of NGFW needed to
develop for the future.
Because of these capabilities and the flexibility to proactively address modern and developing threat
environments across networks of varying sizes, NGFW will be the standard in network firewall
protection at least through 2020
40
UTM Features
UTMs are generally acquired as either cloud services or network appliances, and integrate firewall,
intrusion detection system (IDS), anti-malware, spam and content filtering, and VPN capabilities (Figure
40). These can be installed and updated as necessary to keep pace with emerging threats. [11]
41
42
43
44
45
46
UTM Functions
UTM provides a number of integrated functions beyond the
scope of NGFW. Two of these important functions focus on
threats inherent in platform capabilities used daily by users in
systems and networks of all sizes, from personal computers,
to smartphones and phablets, to networks and data center
operations and automated business functions. In particular,
these common threatswhich continue also to evolve with
technology and more widespread integration of technology
components into common devicesinclude email and
Surfing the Web.
You may have heard on many different commercialsboth online and on other mediathe phrase we
have an app for that! Fortunately, UTM has appsor solutionsto help protect your networks from
these continually evolving threats.
Antispam. One of most widely used buttons on email applications is the one
that allows users to designate messages from a particular sender as spam,
thereby delegating it to be routed to a folder for which the user receives no alert
when the message arrives and the message is often automatically deleted at a
programmed periodicity. UTM has an integrated Anti-Spam function as well,
acting as a filter to block many threats like botsmany of which arrive in user
email boxes. The multiple anti-spam capabilities integrated into UTM may detect
threats using a variety of methods, including:
Blocking known spam IP addresses to prevent receipt.
Blocking messages with any URL in the message body associated with known spam addresses.
Comparing message hashes against those for known spam messages. Those that match may
be blocked without knowledge of actual message content.
Comparing the client IP address and sender email address to stored whitelist/blacklist profiles.
Whitelist matches get through; blacklist matches get blocked.
Conducting a DNS lookup on the domain name to see if the domain exists or is blacklisted.
Blocking email based on matching message keywords or key phrases in a banned word/phrase
filter list. [9]
47
48
49
Summary
NGFW improved on the basic gatekeeping security of Edge Firewalls by introducing such features as IPS,
Deep Packet Scanning, Network Application Identification and Control, and Access Enforcement.
However, beyond those capabilities, additional security functions meant additional appliances and
software configurations, increasing operational complexity for the network administrator.
Because increased operational complexity often results in bypassing of processes in the interest of time
or administrator overload, development was needed for a new dynamic vision of a flexible, future-ready
security solution to meet the needs of todays network environments and keep paceor think ahead
ofadvanced threats of the future. This dynamic, integrated network security conceptUnified Threat
Management (UTM)is in place today and ready for tomorrows evolving challenges.
Overcoming the difficulties of patching together legacy systems with newer, state of the art systems,
UTM brings flexibility, vision, power, and control to networks from SMB to large enterprises that have
international reach. Combining user-simple interfaces with threat-complex protections, as well as cost
effective procurement, operations, and support, UTM provides an optimum system to best ensure
continued network operations in a secure environment.
50
Because of the focus of these threats on the application content component and transport rather than
link and physical components, firewalls designed to protect, load balance, and accelerate content
between web servers are necessary. This type of appliance is the Web Application Firewall (WAF),
designed to provide protection for web applications and related database content [8]. In order to
understand better the type of threats that the WAF faces in protecting networks, an examination of the
vulnerable areas targeted by application threats provides the necessary context.
51
Secure Socket Layer (SSL) traffic poses a challenge because legacy servers and load balancers cannot
manage increased loads caused by increased SSL traffic requiring decryptionscanreencryption in
order to detect potential malicious code attempting to sneak into the network in encrypted data
packets.
Scalability is the concept of enabling a system, network, or application to handle a growing volume of
work in an efficient manner or, if necessary, to be enlarged to accommodate growth. Scalability may be
accomplished through the use of hardware, software, or a combination of both, in order to improve
availability and reliability by:
Managing data flow and workload across multiple servers to increase capacity
Improve application response times by either hardware upgrades or software solutions
Reducing costs by optimizing resources through improved allocation
Allocating data across multiple data centers to facilitate redundancy and recovery
52
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application Vulnerabilities
Because threats are constantly evolving, network security technologies and methods must evolve also.
An important point about modern and emerging threats is that they have a heavy content component
focused beyond physical and data link layers (L1 & L2). These threats focused on content include such
current challenges as:
Bots
Viruses
Ransomware
Spam
In this context, content refers to packet payload analysis and how they are transported, particularly
focusing on layers 3, 4, & 7 of the OSI Model.
Widespread use of applications provides commonality between business users and private consumers,
making application threats a problem with the potential for repeated instances if such a threat infects
the systems of multiple private users who interface with organizational networks. This may occur from
innocuous sources such as customers, clients, or those using a BYOD model who fail to accomplish
regular security screenings on their equipment. They may also occur as a dedicated effort to adversely
affect the success of the organization by an outside competitor, malcontent, or hacker.
OWASP
Fortunately, a global project exists that assists application developers and system/network security
administrators in identifying and understanding the prevalent and emerging application security threats.
This project is the Open Web Application Security Project (OWASP) and is also supported by an OWASP
Foundation in the United States.
OWASP is an open community dedicated to enabling organizations to conceive, develop,
acquire, operate, and maintain applications that can be trusted. All of the OWASP tools,
documents, forums, and chapters are free and open to anyone interested in improving
application security Our freedom from commercial pressures allows us to provide
unbiased, practical, cost-effective information about application security. OWASP is not
affiliated with any technology company, although we support the informed use of
commercial security technology. [14]
One of the primary studies accomplished by OWASP is cataloging and ranking of the most prevalent
threats in web applications. A comparative analysis between the 2010 and 2013 findings appears in
Table 6 [27].
53
Over the prior four years, OWASP found consistency among the top four application threats to system
and network security:
SQL Injection
Broken Authentication & Session Mgmt
Of note, the OWASP analysis also provides information on which threats have increased and declined,
indicating trends that may assist security administrators in determining the most effective system and
network configurations.
SQL Injection. Insertion or injection of an SQL query via input data from the client to the application.
This type of attack may allow attackers to spoof identities, tamper with or delete data, change or void
transactions of various types, enable complete disclosure of the systems databaseor destroy it or
make it unavailable, or even become a new database server administrator. Common with PHP and ASP
applications, less likely with J2EE and ASP.NET applications. Severity depends on the attackers creativity
and computer skills, but have the potential to be devastating. SQL Injection is a high impact threat.
Cross-site Scripting (XSS). Also referred to as XSS Injection, malicious scripts are injected into otherwise
benign and trusted web sites, generally used in the form of browser side scripts to be transmitted to end
users. Because the end users browser regards the site as trusted, it will execute the script, allowing
access to any cookies, session tokens, or other information retained by the browser and used with the
site. Some of these scripts are even capable of rewriting content on HTML pages.
54
55
56
57
58
59
60
61
Heuristics
One of the key features that enables WAFs to counter DDoS threats is heuristicor behavior-based
analysis. Behavior-based DDoS protection measures, however, require different mitigating parameters
than content-based protections. Some of these protection measures include configuring systems to
identify potential threats based on source volume (intent vs. content), ping rates (hardcoded vs.
custom), packet dimensions (coarse vs. granular), and trend-matching (fixed vs. adaptive). When using
these behavior-based DDoS protection measuresfocusing on traffic characteristics rather than
contentpolicies do not require threat signature updates like content-based measures do.
62
63
64
65
66
Security Management
Simply stated, security management exists at the region where the
scope of IT security and IT operations meet.
As organizational structures grow in size and complexity, the
tendency is for more network resourcesmachines, servers,
routers, etc.to be deployed. As the network grows, so also does
the scope of potential threats to secure and efficient operation of
the network to meet organizational goals. With the global nature of
modern business and e-commerce, the sheer number of branch and remote locationsand managed
devicesmake a consolidated network security management essential for effective IT administration.
To this end, the primary goal of security management is to reduce security risks by ensuring that
systems are properly configuredor hardenedto meet internal, regulatory, and/or compliance
standards. Security management is a software-based solution that integrates three primary elements:
Vulnerability Assessment. Network security analysis designed to identify critical IT security weaknesses
that a cyber-attacker could exploit.
Automated Remediation. Allows automated correction of faults or deficienciesvulnerabilities
identified in the assessment process. Provides reports and tools to track vulnerabilities that must be
remediated manually.
Configuration Management. Evaluates the security of a networks critical servers, operating system,
application-level security issues, administrative and technical controls, and identifies potential and
actual weaknesses, with recommended countermeasures.
IT managers are faced with challenges that range from simple codes to threats hidden in secure packets
designed to target cloud-based applications. Modern and emerging future threats present dynamic and
potentially complex challenges to network security demanding comprehensive, complex security
solutions. Unfortunately, studies have shown that the more complex administrative functions become,
the less likely network administrators will spend the requisite amount of attention to the various
apparatus and displays. For this reason, consolidating security management into a single console
enabling monitoring and management of network security was developed. Through this integrated
monitoring and control solution, IT managers may address the following issues:
67
SM
Console
SM
Database
SM Monitored Devices
68
69
70
71
72
Analytics
Without applying analytics to future decisions, they cease to serve a vital function to administrators. The
most important function of analytics is to ensure security effectiveness and improvement while enabling
optimum system and network performance.
Analytic reporting is designed to provide end-to-end analysis of system and network performance. In the
context of security management, this analysis includes factors concerning potential impacts on
performance due to attempted or successful attacks, actions taken by preventative policies and
apparatus that detected and prevented intrusion, forensic records of user data for system and network
functions, and so forth.
Reporting is designed to be a cyclical processnot linear; that is, the data analyzed is used to inform
decisions regarding whether policies, programming, or apparatus need to be updated or may remain as
currently constituted. If updates are necessary, analytics inform decision-makerssuch as corporate
compliance groupsin determining what updates or reconfigurations are the right ones to accomplish.
Security Information and Event Management
Security Information and Event Management (SIEM) [8] is a system that gathers security logs from
multiple sources and correlates logged events to be able to focus on events of importance. SIEM
ecosystem is designed to address the unique requirements of a wide range of customers, from large
enterprises to managed security service providers (MSSPs) that manage thousands of individual
customer environments.
Key features include near real-time visibility for threat detection and prioritization, delivering visibility
across the entire IT infrastructure. It reduces and prioritizes alerts to focus investigations on an
actionable list of suspected incidents, enabling more effective threat management while producing
detailed data access and user activity reports.
SIEM operates on the basis of what logs the administrator has authorized to be forwarded from the
Syslog to the SIEM. These logs may be tuned further to provide a minimum security level for log
forwarding, including (in order of severity from least):
Debugging
Information
Notification
Warning
73
Error
Critical
Alert
Emergency
74
75
76
AD
Active Directory
ADC
ADN
Infrastructure as a Service
ICMP
ICSA
AM
Antimalware
API
ID
Identification
APT
IDC
ASIC
IDS
ASP
IM
Instant Messaging
ATP
IMAP
AV
Antivirus
AV/AM Antivirus/Antimalware
BYOD Bring Your Own Device
CPU
DDoS
DLP
DNS
DoS
Denial of Service
DPI
DSL
FTP
FW
Firewall
Gb
Gigabyte
GbE
Gigabit Ethernet
Gbps
GSLB
GUI
77
IoT
Internet of Things
IP
Internet Protocol
IPS
IPSec
IPTV
IT
Information Technology
J2EE
LAN
LDAP
LLB
LOIC
MSP
NSS Labs
OSI
SPoF
PaaS
Platform as a Service
SQL
PC
Personal Computer
SSL
SWG
SYN
POE
POP3
TCP
Quality of Service
RDP
SaaS
Software as a Service
UDP
SDN
Software-Defined Network
URL
SEG
USB
SFP
UTM
SFTP
SIEM
VM
Virtual Machine
SLA
VoIP
SM
Security Management
VPN
SMB
WAF
SMS
78
XSS
Cross-site Scripting
StrataIT. Did you leave your backdoor open over the holidays? 2012 [cited 2014 October 20];
Image: Fortinet UTM vs. Adhoc Network Security Model]. Available from:
http://www.stratait.com/content/did-you-leave-your-backdoor-open-over-holidays.
2.
3.
Frampton, K., The Differences Between IaaS, Saas, and PaaS. 2013, SmartFile.
4.
5.
6.
7.
8.
Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
9.
Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.
10.
Miller, L., Next-Generation Firewalls for Dummies. 2011, Wiley Publishing, Inc.: Indianapolis, IN.
11.
Rouse, M. Unified Threat Management Devices: Understanding UTM and its Vendors. Essential
Guide, 2014.
12.
13.
14.
OWASP. About the Open Web Application Security Project. 2014 [cited 2014 October 31];
Available from: https://www.owasp.org/index.php/About_OWASP.
15.
Maiwald, E., Network Security: A Beginner's Guide. 3rd ed. 2013, New York, NY: McGraw-Hill.
16.
Nichols, S. Peak IPv4? Global IPv6 traffic is growing, DDoS dying, says Akamai. The Register,
2014.
17.
Rouse, M. Application Delivery Controller. Essential Guide 2013 [cited 2014 October 15];
Available from: http://searchnetworking.techtarget.com/definition/Application-deliverycontroller.
18.
19.
79