Question

How would you secure computer networks if you could design the Internet?

What technologies would you deploy or develop to meet the need?

CMGT/442

Answer 1

Within a network, we will find ways to add security to it, by installing and configuring devices that comply with the necessary measures providing a care behavior in the network.

The most common hardware that is implemented to increase security in the network are Firewall, IDS and IPS. It should be noted that within each network device (router / switch / hub) there are configurations that will help us increase security. The access control lists (ACL) are a clear example, they allow us to program rules to deny or allow a specific service or device within the networktraffic.

Firewall

It is a network device, where its main function is to block all access to the network (Incoming) and from it (Outgoing), through configurations called "rules or policies", it works by checking all specified traffic and comparing it with the logic of allow or deny according to behavior criteria.

• Restrictive: what is not explicitly allowed, will be denied.
• Permissive: what is not explicitly denied, will be allowed.

A firewall can be not only a network device, but we can also find it through an operating system software, also fulfilling the function of allowing or denying, where the firewall is installed, it will indicate as intermediate the communications of the network that want to inspect or protect.

1. Dual Homed-Firewall: the device has two devices, which allow interacting with both the public network and the private network
   

2. Multi Homed-Firewall: the team has several devices, which will allow interaction with several different networks, giving the possibility of implementing different policies and rules for each one
   

3. Demilitarized Zone (DMZ): a demilitarized zone or perimeter network is a local network that is located between the internal network of an organization and an external network, usually the Internet
   

• One of the objectives of a DMZ is that connections from the internal network and external to the DMZ are allowed.
• Generally positioned in that DMZ, the services that want to publish in a public network (Internet) such as email servers, Web and DNS.
• Within the family of Firewalls, we can also find services such as packet filtering (packet filtering), application layer (layer analysis) and statefull (memory of established sessions)

Intrusion Detection System (IDS)

Another element that can be found and help us "census" the type of traffic we have on the network is the IDS (Intrusion Detection Systems). By analyzing each packet that is circulating within its range of coverage, it has the capacity to detect anomalies or signatures, giving the possibility of programming rules based on what it detects in the network.

It also has a database (signatures) where based on the technique of "census" packages, compares them and acts accordingly, respecting the parameters assigned to which they are configured (sending alarms, emails, etc).

Act in 2 ways:

1. NIDS: totally hardware-based, you buy it and physically install it in your network place, where you want it to start "census" the traffic in search of anomalies.
   
2. HIDS: based on software, you simply acquire a license like any antivirus or download it if it is source code and install it, you can dedicate a complete machine to the IDS to optimize resources, 2 examples of free and widely used software They are Suricata y Snort.
   

Intrusion Prevention System (IPS)

And finally we have the IPS (Intrusion Prevention Systems) that unlike the IDS, it analyzes in real time, taking into account that possibility, a port of entry and another exit, its operating logic is to analyze incoming and outgoing traffic in Real time, this must be controlled well because it can cause performance problems in the network, since each packet will be analyzed and the network can return slowly.

Potential threats

Threats to information security threaten their confidentiality, integrity and availability. There are threats related to human failure, malicious attacks or natural catastrophes. Through the materialization of a threat could occur the access, modification or elimination of unauthorized information, the interruption of a service or the processing of a system, physical damage or theft of equipment and means of information storage.

This situation produces the following:

• Security holes in operating systems
• Security holes in applications
• Errors in system configurations
• Users who lack basic information about computer security

The potential attackers, collect information about the possible infrastructure of the computer network these give more chance to succeed, the most common information they seek is:

• Identification of the operating system: Attacks differ greatly depending on the operating system that is installed on the computer
• Scanning of protocols, ports and services: Services are the programs that the operating system loads itself to be able to work, printing service, automatic updates, etc.

Basic attacks

There are thousands of techniques, methods and attacks that an attacker could use to illegally enter your network, but there are always a few that are used by the majority and of which you must be prepared, let's see what they are:

1. Denial of service (DoS/DDoS) attacks, send you billions of requests to a service on your network so that it collapses causing a denial of service, because it will no longer accept incoming requests.
2. Attacks against the authentication, if you do not put a limit of access failed an attacker will use brute force to try to guess a user of your network.
3. Modification attacks and integrity damage, once inside your network, they can modify files and damage the integrity of your information.
4. Attacks taking advantage of security deficiencies, if you do not update or protect your network well, the attacker could find "holes" to attack.

Build a secure network

Currently there are millions of attacks against network infrastructures occurring throughout the day, to try to have a more secure network, because deep down we know that there are no 100% secure computer systems, but we know that we can reduce the possibilities that they attack us by designing a network infrastructure adapted to the best security practices in networks.

There are 3 key questions to ask, before designing a secure network:

1. What to protect?
2. How to protect?
3. Where to protect?

When we talk about knowing what to protect, it is important to determine what the most important assets of the network can be devices, services or even a certain type of traffic (encrypt internal traffic, to give an example) , it is not the same to protect the main server where the business logic of the company is to protect the server where deploys are made to test new features of the application. The one to protect, we will determine it by doing a risk analysis of the network, where we will know the level of importance of each asset in the network.

Active: any electronic device connected to the Internet.

A very common example, a client asked us to protect the local network (LAN) from any unauthorized traffic from the outside, well we know what to protect and we designed and implemented a firewall between the ISP and the router that will provide Wi-Fi to all devices that may have access.

What to protect is about having a clear objective of what you want to take care of or protect from attackers.

The how to protect, would be taking into account all the
services offered by the firewall (ACLs, NAT, VPN) and the
good use of them or other security devices such as IDS or IPS.

• ACL: It is a way to determine the appropriate access permissions to a certain object, depending on certain criteria of the process that makes the order these operations could include reading, writing and execution on a destination the criteria would be: origin of traffic, traffic destination and protocol used.

How does it work?
The firewall or router analyzes each packet, comparing it with the corresponding ACL and compares the ACL line by line if it finds a match, takes the corresponding action (allow or deny), and no longer reviews the remaining lines. That's why you have to list the commands from the most specific cases, to the most general ones.

Remember: the exceptions have to be before the general rule

The general rule, if you do not find a match in any of the lines, automatically reject the traffic consider that there is an implicit "deny any", at the end of each ACL there are many ways to create an ACL, we depend on what type of technology is used, writing it or through options in the application that is running.

How to protect, is to think what is the technology or method that will be used in the solution on what needs to be protected.

The where to protect, will be implemented in an area that is active firewall or security device, or taking into account the services or devices to protect, the location of it will be of greater importance to affect what we need to protect.

Structuring a secure network

When we are in front of a network, the first thing that should be done is a survey of all the involved devices and then we can have an idea of whether we should modify the topology or leave it like this. Knowing that we have equipment related to data protection, they should be positioned in a sector where access to that data meets the purpose we need, is it useful to put a firewall behind a network? Do we leave it configured for defect?, or worse yet, does an important server have free access from the Internet of any intruder?

That is what the structuring is about, protecting assets, confidential information, etc, in an efficient and safe way, taking into account the positioning of security devices or systems that we have for protection.

1. Survey of the network, how many assets are there?
2. What to protect?
3. In what sector of the network are they the same? Could they be elsewhere?
4. What do I have to protect them? (Budget, hardware and software)
5. Where do I protect them and where do I install the security system?
6. Is it okay what I did? Can there be other, safer options?
7. What happens if they attack and gain access to the network? Is there an incident or contingency plan?