Chapter 4: Network Security

What is networking?

A network is simply two or more computers linked together to share data,

information or resources.

To properly establish secure data communications, it is important to explore all

of the technologies involved in computer communications. From hardware and
software to protocols and encryption and beyond, there are many details,
standards and procedures to be familiar with.

Types of Networks

There are two basic types of networks:

 Local area network (LAN) - A local area network (LAN) is a network

typically spanning a single floor or building. This is commonly a limited
geographical area.
 Wide area network (WAN) - Wide area network (WAN) is the term usually
assigned to the long-distance connections between geographically
remote networks.

Network Devices

 Hub: Hubs are used to connect multiple devices in a network. They’re

less likely to be seen in business or corporate networks than in home
networks. Hubs are wired devices and are not as smart as switches or
routers.
 Switch: Rather than using a hub, you might consider using a switch, or
what is also known as an intelligent hub. Switches are wired devices that
know the addresses of the devices connected to them and route traffic
to that port/device rather than retransmitting to all devices. Offering
greater efficiency for traffic delivery and improving the overall
throughput of data, switches are smarter than hubs, but not as smart as
routers. Switches can also create separate broadcast domains when used
to create VLANs, which will be discussed later.
  Router: Routers are used to control traffic flow on networks and are
often used to connect similar networks and control traffic flow between
them. Routers can be wired or wireless and can connect multiple
switches. Smarter than hubs and switches, routers determine the most
efficient “route” for the traffic to flow across the network.
 Firewall: Firewalls are essential tools in managing and controlling
network traffic and protecting the network. A firewall is a network
device used to filter traffic. It is typically deployed between a private
network and the internet, but it can also be deployed between
departments (segmented networks) within an organization (overall
network). Firewalls filter traffic based on a defined set of rules, also
called filters or access control lists.
 Server: A server is a computer that provides information to other
computers on a network. Some common servers are web servers, email
servers, print servers, database servers and file servers. All of these are,
by design, networked and accessed in some way by a client computer.
Servers are usually secured differently than workstations to protect the
information they contain.
 Endpoint: Endpoints are the ends of a network communication link. One
end is often at a server where a resource resides, and the other end is
often a client making a request to use a network resource. An endpoint
can be another server, desktop workstation, laptop, tablet, mobile phone
or any other end user device.

Network terms

 Ethernet (IEEE 802.3) is a standard that defines wired connections of

networked devices. This standard defines the way data is formatted over
the wire to ensure disparate devices can communicate over the same
cables.
 Device Address: Media Access Control (MAC) Address - Every network
device is assigned a Media Access Control (MAC) address. An example is
00-13-02-1F-58-F5. The first 3 bytes (24 bits) of the address denote the
vendor or manufacturer of the physical network interface. No two
 devices can have the same MAC address in the same local network;
otherwise, an address conflict occurs. While MAC addresses are generally
assigned in the firmware of the interface, IP hosts associate that address
with a unique logical address. This logical IP address represents the
network interface within the network and can be useful to maintain
communications when a physical device is swapped with new hardware.
Examples are 192.168.1.1 and 2001:db8::ffff:0:1.

Networking at a Glance

This diagram represents a small business network, which we will build upon
during this lesson. The lines depict wired connections. Notice how all devices
behind the firewall connect via the network switch, and the firewall lies
between the network switch and the internet.

The network diagram below represents a typical home network. Notice the
primary difference between the home network and the business network is that
the router, firewall, and network switch are often combined into one device
supplied by your internet provider and shown here as the wireless access point.
Open Systems Interconnection (OSI) Model

The OSI Model was developed to establish a common way to describe the
communication structure for interconnected computer systems. The OSI model
serves as an abstract framework, or theoretical model, for how protocols should
function in an ideal world, on ideal hardware. Thus, the OSI model has become
a common conceptual reference that is used to understand the communication
of various hierarchical components from software interfaces to physical
hardware.

The OSI model divides networking tasks into seven distinct layers. Each layer is
responsible for performing specific tasks or operations with the goal of
supporting data exchange (in other words, network communication) between
two computers. The layers are interchangeably referenced by name or layer
number. For example, Layer 3 is also known as the Network Layer. The layers
are ordered specifically to indicate how information flows through the various
levels of communication. Each layer communicates directly with the layer
above and the layer below it. For example, Layer 3 communicates with both
the Data Link (2) and Transport (4) layers.

The Application, Presentation, and Session Layers (5-7) are commonly referred
to simply as data. However, each layer has the potential to perform
encapsulation. Encapsulation is the addition of header and possibly a footer
(trailer) data by a protocol used at that layer of the OSI model. Encapsulation
is particularly important when discussing Transport, Network and Data Link
layers (2-4), which all generally include some form of header. At the Physical
Layer (1), the data unit is converted into binary, i.e., 01010111, and sent across
physical wires such as an ethernet cable.

It's worth mapping some common networking terminology to the OSI Model so
you can see the value in the conceptual model.

Consider the following examples:

 When someone references an image file like a JPEG or PNG, we are

talking about the Presentation Layer (6).
 When discussing logical ports such as NetBIOS, we are discussing the
Session Layer (5).
 When discussing TCP/UDP, we are discussing the Transport Layer (4).
 When discussing routers sending packets, we are discussing the Network
Layer (3).
 When discussing switches, bridges or WAPs sending frames, we are
discussing the Data Link Layer (2).

Encapsulation occurs as the data moves down the OSI model from Application
to Physical. As data is encapsulated at each descending layer, the previous
layer’s header, payload and footer are all treated as the next layer’s payload.
The data unit size increases as we move down the conceptual model and the
contents continue to encapsulate.

The inverse action occurs as data moves up the OSI model layers from Physical
to Application. This process is known as de-encapsulation (or decapsulation).
The header and footer are used to properly interpret the data payload and are
then discarded. As we move up the OSI model, the data unit becomes smaller.
The encapsulation/de-encapsulation process is best depicted visually below:
Transmission Control Protocol/Internet Protocol (TCP/IP)

The OSI model wasn’t the first or only attempt to streamline networking
protocols or establish a common communications standard. In fact, the most
widely used protocol today, TCP/IP, was developed in the early 1970s. The OSI
model was not developed until the late 1970s. The TCP/IP protocol stack
focuses on the core functions of networking.

The most widely used protocol suite is TCP/IP, but it is not just a single protocol;
rather, it is a protocol stack comprising dozens of individual protocols. TCP/IP
is a platform-independent protocol based on open standards. However, this is
both a benefit and a drawback. TCP/IP can be found in just about every
available operating system, but it consumes a significant amount of resources
and is relatively easy to hack into because it was designed for ease of use rather
than for security.

At the Application Layer, TCP/IP protocols include Telnet, File Transfer Protocol
(FTP), Simple Mail Transport Protocol (SMTP), and Domain Name Service (DNS).

The two primary Transport Layer protocols of TCP/IP are TCP and UDP. TCP is a
full-duplex connection-oriented protocol, whereas UDP is a simplex
connectionless protocol. In the Internet Layer, Internet Control Message
Protocol (ICMP) is used to determine the health of a network or a specific link.
ICMP is utilized by ping, traceroute and other network management tools.
The ping utility employs ICMP echo packets and bounces them off remote
systems. Thus, you can use ping to determine whether the remote system
is online, whether the remote system is responding promptly, whether the
intermediary systems are supporting communications, and the level of
performance efficiency at which the intermediary systems are communicating.
Revisão de termos

Internet Protocol (IPv4 and IPv6)

IP is currently deployed and used worldwide in two major versions. IPv4

provides a 32-bit address space, which by the late 1980s was projected to be
exhausted. IPv6 was introduced in December 1995 and provides a 128-bit
address space along with several other important features.
IP hosts/devices associate an address with a unique logical address. An IPv4
address is expressed as four octets separated by a dot (.), for example,
216.12.146.140. Each octet may have a value between 0 and 255. However, 0
is the network itself (not a device on that network), and 255 is generally
reserved for broadcast purposes. Each address is subdivided into two parts: the
network number and the host. The network number assigned by an external
organization, such as the Internet Corporation for Assigned Names and Numbers
(ICANN), represents the organization’s network. The host represents the
network interface within the network.

To ease network administration, networks are typically divided into subnets.

Because subnets cannot be distinguished with the addressing scheme discussed
so far, a separate mechanism, the subnet mask, is used to define the part of
the address used for the subnet. The mask is usually converted to decimal
notation like 255.255.255.0.

With the ever-increasing number of computers and networked devices, it is

clear that IPv4 does not provide enough addresses for our needs. To overcome
this shortcoming, IPv4 was sub-divided into public and private address ranges.
Public addresses are limited with IPv4, but this issue was addressed in part with
private addressing. Private addresses can be shared by anyone, and it is highly
likely that everyone on your street is using the same address scheme.

The nature of the addressing scheme established by IPv4 meant that network
designers had to start thinking in terms of IP address reuse. IPv4 facilitated this
in several ways, such as its creation of the private address groups; this allows
every LAN in every SOHO (small office, home office) situation to use addresses
such as 192.168.2.xxx for its internal network addresses, without fear that some
other system can intercept traffic on their LAN.

This table shows the private addresses available for anyone to use:

The first octet of 127 is reserved for a computer’s loopback address. Usually,
the address 127.0.0.1 is used. The loopback address is used to provide a
mechanism for self-diagnosis and troubleshooting at the machine level. This
mechanism allows a network administrator to treat a local machine as if it were
a remote machine and ping the network interface to establish whether it is
operational.

IPv6 is a modernization of IPv4, which addressed a number of weaknesses in

the IPv4 environment:

 A much larger address field: IPv6 addresses are 128 bits, which supports
2128 or 340,282,366,920,938,463,463,374,607,431,768,211,456 hosts.
This ensures that we will not run out of addresses.
 Improved security: IPsec is an optional part of IPv4 networks, but a
mandatory component of IPv6 networks. This will help ensure the
integrity and confidentiality of IP packets and allow communicating
partners to authenticate with each other.
 Improved quality of service (QoS): This will help services obtain an
appropriate share of a network’s bandwidth.

An IPv6 address is shown as 8 groups of four digits. Instead of numeric (0-9)

digits like IPv4, IPv6 addresses use the hexadecimal range (0000-ffff) and are
separated by colons (:) rather than periods (.). An example IPv6 address is
2001:0db8:0000:0000:0000:ffff:0000:0001. To make it easier for humans to read
and type, it can be shortened by removing the leading zeros at the beginning
of each field and substituting two colons (::) for the longest consecutive zero
fields. All fields must retain at least one digit. After shortening, the example
address above is rendered as 2001:db8::ffff:0:1, which is much easier to type.
As in IPv4, there are some addresses and ranges that are reserved for special
uses:

 ::1 is the local loopback address, used the same as 127.0.0.1 in IPv4.
 The range 2001:db8:: to 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff is reserved
for documentation use, just like in the examples above.
 fc00:: to fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff are addresses reserved for
internal network use and are not routable on the internet.

Security of the Network

TCP/IP’s vulnerabilities are numerous. Improperly implemented TCP/IP stacks

in various operating systems are vulnerable to various DoS/DDoS attacks,
fragment attacks, oversized packet attacks, spoofing attacks, and man-in-the-
middle attacks.

TCP/IP (as well as most protocols) is also subject to passive attacks via
monitoring or sniffing. Network monitoring, or sniffing, is the act of monitoring
traffic patterns to obtain information about a network.

Ports and Protocols (Applications/Services)

Physical ports

Physical ports are the ports on the routers, switches, servers, computers, etc.
that you connect the wires, e.g., fiber optic cables, Cat5 cables, etc., to
create a network.

Logical Ports

When a communication connection is established between two systems, it is

done using ports. A logical port (also called a socket) is little more than an
address number that both ends of the communication link agree to use when
transferring data. Ports allow a single IP address to be able to support multiple
simultaneous communications, each using a different port number. In the
Application Layer of the TCP/IP model (which includes the Session,
Presentation, and Application Layers of the OSI model) reside numerous
application- or service-specific protocols. Data types are mapped using port
numbers associated with services. For example, web traffic (or HTTP) is port
80. Secure web traffic (or HTTPS) is port 443. Table 5.4 highlights some of these
protocols and their customary or assigned ports. You’ll note that in several cases
a service (or protocol) may have two ports assigned, one secure and one
insecure. When in doubt, systems should be implemented using the most secure
version as possible of a protocol and its services.

Well-known ports (0–1023): These ports are related to the common protocols
that are at the core of the Transport Control Protocol/Internet Protocol
(TCP/IP) model, Domain Name Service (DNS), Simple Mail Transfer Protocol
(SMTP), etc.

Registered ports (1024–49151): These ports are often associated with

proprietary applications from vendors and developers. While they are officially
approved by the Internet Assigned Numbers Authority (IANA), in practice many
vendors simply implement a port of their choosing. Examples include Remote
Authentication Dial-In User Service (RADIUS) authentication (1812), Microsoft
SQL Server (1433/1434) and the Docker REST API (2375/2376).

Dynamic or private ports (49152–65535): Whenever a service is requested that

is associated with well-known or registered ports, those services will respond
with a dynamic port that is used for that session and then released.

Secure Ports

Some network protocols transmit information in clear text, meaning it is not

encrypted and should not be used. Clear text information is subject to network
sniffing. This tactic uses software to inspect packets of data as they travel
across the network and extract text such as usernames and passwords. Network
sniffing could also reveal the content of documents and other files if they are
sent via insecure protocols. The table below shows some of the insecure
protocols along with recommended secure alternatives.
SYN, SYN-ACK, ACK Handshake

Revisão de conhecimento

Understand Network (Cyber) Threats and Attacks

Types of Threats
Identify Threats and Tools Used to Prevent Them

So far in this chapter, we have explored how a TCP/IP network operates, and
we have seen some examples of how threat actors can exploit some of the
inherent vulnerabilities. The remainder of this module will discuss the various
ways these network threats can be detected and even prevented.

While there is no single step you can take to protect against all attacks, there
are some basic steps you can take that help to protect against many types of
attacks.

Here are some examples of steps that can be taken to protect networks.

 If a system doesn’t need a service or protocol, it should not be running.

Attackers cannot exploit a vulnerability in a service or protocol that isn’t
running on a system.
 Firewalls can prevent many different types of attacks. Network-based
firewalls protect entire networks, and host-based firewalls protect
individual systems.

Identify Threats and Tools Used to Prevent Them Continued

Intrusion Detection System (IDS)

An intrusion occurs when an attacker is able to bypass or thwart security

mechanisms and gain access to an organization’s resources. Intrusion detection
is a specific form of monitoring that monitors recorded information and real-
time events to detect abnormal activity indicating a potential incident or
intrusion. An intrusion detection system (IDS) automates the inspection of logs
and real-time system events to detect intrusion attempts and system failures.
An IDS is intended as part of a defense-in-depth security plan. It will work with,
and complement, other security mechanisms such as firewalls, but it does not
replace them.

IDSs can recognize attacks that come from external connections, such as an
attack from the internet, and attacks that spread internally, such as a malicious
worm. Once they detect a suspicious event, they respond by sending alerts or
raising alarms. A primary goal of an IDS is to provide a means for a timely and
accurate response to intrusions.

Intrusion detection and prevention refer to capabilities that are part of isolating
and protecting a more secure or more trusted domain or zone from one that is
less trusted or less secure. These are natural functions to expect of a firewall,
for example.

IDS types are commonly classified as host-based and network-based. A host-

based IDS (HIDS) monitors a single computer or host. A network-based IDS (NIDS)
monitors a network by observing network traffic patterns.

Host-based Intrusion Detection System (HIDS)

A HIDS monitors activity on a single computer, including process calls and

information recorded in system, application, security and host-based firewall
logs. It can often examine events in more detail than a NIDS can, and it can
pinpoint specific files compromised in an attack. It can also track processes
employed by the attacker. A benefit of HIDSs over NIDSs is that HIDSs can detect
anomalies on the host system that NIDSs cannot detect. For example, a HIDS
can detect infections where an intruder has infiltrated a system and is
controlling it remotely. HIDSs are more costly to manage than NIDSs because
they require administrative attention on each system, whereas NIDSs usually
support centralized administration. A HIDS cannot detect network attacks on
other systems.
Network Intrusion Detection System (NIDS)

A NIDS monitors and evaluates network activity to detect attacks or event

anomalies. It cannot monitor the content of encrypted traffic but can monitor
other packet details. A single NIDS can monitor a large network by using remote
sensors to collect data at key network locations that send data to a central
management console. These sensors can monitor traffic at routers, firewalls,
network switches that support port mirroring, and other types of network taps.
A NIDS has very little negative effect on the overall network performance, and
when it is deployed on a single-purpose system, it doesn’t adversely affect
performance on any other computer. A NIDS is usually able to detect the
initiation of an attack or ongoing attacks, but they can’t always provide
information about the success of an attack. They won’t know if an attack
affected specific systems, user accounts, files or applications.

Security Information and Event Management (SIEM)

Security management involves the use of tools that collect information about
the IT environment from many disparate sources to better examine the overall
security of the organization and streamline security efforts. These tools are
generally known as security information and event management (or S-I-E-M,
pronounced “SIM”) solutions. The general idea of a SIEM solution is to gather
log data from various sources across the enterprise to better understand
potential security concerns and apportion resources accordingly.

SIEM systems can be used along with other components (defense-in-depth) as

part of an overall information security program.

Preventing Threats

While there is no single step you can take to protect against all threats, there
are some basic steps you can take that help reduce the risk of many types of
threats.

 Keep systems and applications up to date. Vendors regularly release

patches to correct bugs and security flaws, but these only help when
they are applied. Patch management ensures that systems and
applications are kept up to date with relevant patches.
  Remove or disable unneeded services and protocols. If a system doesn’t
need a service or protocol, it should not be running. Attackers cannot
exploit a vulnerability in a service or protocol that isn’t running on a
system. As an extreme contrast, imagine a web server is running every
available service and protocol. It is vulnerable to potential attacks on
any of these services and protocols.
 Use intrusion detection and prevention systems. As discussed, intrusion
detection and prevention systems observe activity, attempt to detect
threats and provide alerts. They can often block or stop attacks.
 Use up-to-date anti-malware software. We have already covered the
various types of malicious code such as viruses and worms. A primary
countermeasure is anti-malware software.
 Use firewalls. Firewalls can prevent many different types of threats.
Network-based firewalls protect entire networks, and host-based
firewalls protect individual systems. This chapter included a section
describing how firewalls can prevent attacks.

Antivirus

The use of antivirus products is strongly encouraged as a security best practice

and is a requirement for compliance with the Payment Card Industry Data
Security Standard (PCI DSS). There are several antivirus products available, and
many can be deployed as part of an enterprise solution that integrates with
several other security products.

Antivirus systems try to identify malware based on the signature of known

malware or by detecting abnormal activity on a system. This identification is
done with various types of scanners, pattern recognition and advanced machine
learning algorithms.

Anti-malware now goes beyond just virus protection as modern solutions try to
provide a more holistic approach detecting rootkits, ransomware and spyware.
Many endpoint solutions also include software firewalls and IDS or IPS systems.

Scans

Here is an example scan from Zenmap showing open ports on a host.

Regular vulnerability and port scans are a good way to evaluate the
effectiveness of security controls used within an organization. They may reveal
areas where patches or security settings are insufficient, where new
vulnerabilities have developed or become exposed, and where security policies
are either ineffective or not being followed. Attackers can exploit any of these
vulnerabilities.

Firewalls

In building construction or vehicle design, a firewall is a specially built physical

barrier that prevents the spread of fire from one area of the structure to
another or from one compartment of a vehicle to another. Early computer
security engineers borrowed that name for the devices and services that isolate
network segments from each other, as a security measure. As a result,
firewalling refers to the process of designing, using or operating different
processes in ways that isolate high-risk activities from lower-risk ones.

Firewalls enforce policies by filtering network traffic based on a set of rules.

While a firewall should always be placed at internet gateways, other internal
network considerations and conditions determine where a firewall would be
employed, such as network zoning or segregation of different levels of
sensitivity. Firewalls have rapidly evolved over time to provide enhanced
security capabilities. This growth in capabilities can be seen in the graphic
below, which contrasts an oversimplified view of traditional and next-
generation firewalls. It integrates a variety of threat management capabilities
into a single framework, including proxy services, intrusion prevention services
(IPS) and tight integration with the identity and access management (IAM)
environment to ensure only authorized users are permitted to pass traffic across
the infrastructure. While firewalls can manage traffic at Layers 2 (MAC
addresses), 3 (IP ranges) and 7 (application programming interface (API) and
application firewalls), the traditional implementation has been to control
traffic at Layer 4.

Intrusion Prevention System (IPS)

An intrusion prevention system (IPS) is a special type of active IDS that

automatically attempts to detect and block attacks before they reach target
systems. A distinguishing difference between an IDS and an IPS is that the IPS is
placed in line with the traffic. In other words, all traffic must pass through the
IPS and the IPS can choose what traffic to forward and what traffic to block
after analyzing it. This allows the IPS to prevent an attack from reaching a
target. Since IPS systems are most effective at preventing network-based
attacks, it is common to see the IPS function integrated into firewalls. Just like
IDS, there are Network-based IPS (NIPS) and Host-based IPS (HIPS).
Revisão de conteúdo
Understand Network Security Infrastructure

On-Premises Data Centers

When it comes to data centers, there are two primary options: organizations
can outsource the data center or own the data center. If the data center is
owned, it will likely be built on premises. A place, like a building for the data
center is needed, along with power, HVAC, fire suppression and redundancy.

Heating, Ventilation and Air Conditioning (HVAC) / Environmental

High-density equipment and equipment within enclosed spaces requires

adequate cooling and airflow. Well-established standards for the operation of
computer equipment exist, and equipment is tested against these standards.
For example, the recommended range for optimized maximum uptime and
hardware life is from 64° to 81°F (18° to 27°C), and it is recommended that a
rack have three temperature sensors, positioned at the top, middle and bottom
of the rack, to measure the actual operating temperature of the environment.
Proper management of data center temperatures, including cooling, is
essential.

Cooling is not the only issue with airflow: Contaminants like dust and noxious
fumes require appropriate controls to minimize their impact on equipment.
Monitoring for water or gas leaks, sewer overflow or HVAC failure should be
integrated into the building control environment, with appropriate alarms to
signal to organizational staff. Contingency planning to respond to the warnings
should prioritize the systems in the building, so the impact of a major system
failure on people, operations or other infrastructure can be minimized.

Data Center/Closets

The facility wiring infrastructure is integral to overall information system

security and reliability. Protecting access to the physical layer of the network
is important in minimizing intentional or unintentional damage. Proper
protection of the physical site must address these sorts of security challenges.
Data centers and wiring closets may include the following:

 Phone, network, special connections.

 ISP or telecommunications provider equipment.
 Servers.
 Wiring and/or switch components.

Power

Data centers and information systems in general consume a tremendous amount

of electrical power, which needs to be delivered both constantly and
consistently. Wide fluctuations in the quality of power affect system lifespan,
while disruptions in supply completely stop system operations.

Power at the site is always an integral part of data center operations.

Regardless of fuel source, backup generators must be sized to provide for the
critical load (the computing resources) and the supporting infrastructure.
Similarly, battery backups must be properly sized to carry the critical load until
generators start and stabilize. As with data backups, testing is necessary to
ensure the failover to alternate power works properly.

Fire Suppression

For server rooms, appropriate fire detection/suppression must be considered

based on the size of the room, typical human occupation, egress routes and risk
of damage to equipment. For example, water used for fire suppression would
cause more harm to servers and other electronic components. Gas-based fire
suppression systems are more friendly to the electronics, but can be toxic to
humans.

Redundancy

The concept of redundancy is to design systems with duplicate components so

that if a failure were to occur, there would be a backup. This can apply to the
data center as well. Risk assessments pertaining to the data center should
identify when multiple separate utility service entrances are necessary for
redundant communication channels and/or mechanisms.
If the organization requires full redundancy, devices should have two power
supplies connected to diverse power sources. Those power sources would be
backed up by batteries and generators. In a high-availability environment, even
generators would be redundant and fed by different fuel types.

Memorandum of Understanding (MOU)/Memorandum of Agreement (MOA)

Some organizations seeking to minimize downtime and enhance BC (Business

Continuity) and DR (Disaster Recovery) capabilities will create agreements with
other, similar organizations. They agree that if one of the parties experiences
an emergency and cannot operate within their own facility, the other party will
share its resources and let them operate within theirs in order to maintain
critical functions. These agreements often even include competitors, because
their facilities and resources meet the needs of their particular industry.

For example, Hospital A and Hospital B are competitors in the same city. The
hospitals create an agreement with each other: if something bad happens to
Hospital A (a fire, flood, bomb threat, loss of power, etc.), that hospital can
temporarily send personnel and systems to work inside Hospital B in order to
stay in business during the interruption (and Hospital B can relocate to Hospital
A, if Hospital B has a similar problem). The hospitals have decided that they
are not going to compete based on safety and security—they are going to
compete on service, price and customer loyalty. This way, they protect
themselves and the healthcare industry as a whole.

These agreements are called joint operating agreements (JOA) or memoranda

of understanding (MOU) or memoranda of agreement (MOA). Sometimes these
agreements are mandated by regulatory requirements, or they might just be
part of the administrative safeguards instituted by an entity within the
guidelines of its industry.

The difference between an MOA or MOU and an SLA is that a Memorandum of

Understanding is more directly related to what can be done with a system or
the information.

The service level agreement goes down to the granular level. For example, if
I'm outsourcing the IT services, then I will need to have two full-time
technicians readily available, at least from Monday through Friday from eight
to five. With cloud computing, I need to have access to the information in my
backup systems within 10 minutes. An SLA specifies the more intricate aspects
of the services.

We must be very cautious when outsourcing with cloud-based services, because

we have to make sure that we understand exactly what we are agreeing to. If
the SLA promises 100 percent accessibility to information, is the access directly
to you at the moment, or is it access to their website or through their portal
when they open on Monday? That's where you'll rely on your legal team, who
can supervise and review the conditions carefully before you sign the dotted
line at the bottom.

Cloud

Cloud computing is usually associated with an internet-based set of computing

resources, and typically sold as a service, provided by a cloud service provider
(CSP).

Cloud computing is very similar to the electrical or power grid. It is provisioned

in a geographic location and is sourced using an electrical means that is not
necessarily obvious to the consumer. But when you want electricity, it’s
available to you via a common standard interface and you pay only for what
you use. In these ways, cloud computing is very similar. It is a very scalable,
elastic and easy-to-use “utility” for the provisioning and deployment of
Information Technology (IT) services.

There are various definitions of what cloud computing means according to the
leading standards, including NIST. This NIST definition is commonly used around
the globe, cited by professionals and others alike to clarify what the term
“cloud” means:

“a model for enabling ubiquitous, convenient, on-demand network access to a

shared pool of configurable computing resources (such as networks, servers,
storage, applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction.”
NIST SP 800-145

This image depicts cloud computing characteristics, service and deployment

models, all of which will be covered in this section and by your instructor.

Cloud Characteristics

Cloud-based assets include any resources that an organization accesses using

cloud computing. Cloud computing refers to on-demand access to computing
resources available from almost anywhere, and cloud computing resources are
highly available and easily scalable. Organizations typically lease cloud-based
resources from outside the organization. Cloud computing has many benefits
for organizations, which include but are not limited to:
  Usage is metered and priced according to units (or instances) consumed.
This can also be billed back to specific departments or functions.
 Reduced cost of ownership. There is no need to buy any assets for
everyday use, no loss of asset value over time and a reduction of other
related costs of maintenance and support.
 Reduced energy and cooling costs, along with “green IT” environment
effect with optimum use of IT resources and systems.
 Allows an enterprise to scale up new software or data-based
services/solutions through cloud systems quickly and without having to
install massive hardware locally.

Service Models

Some cloud-based services only provide data storage and access. When storing
data in the cloud, organizations must ensure that security controls are in place
to prevent unauthorized access to the data.

There are varying levels of responsibility for assets depending on the service
model. This includes maintaining the assets, ensuring they remain functional,
and keeping the systems and applications up to date with current patches. In
some cases, the cloud service provider is responsible for these steps. In other
cases, the consumer is responsible for these steps. Types of cloud computing
service models include Software as a Service (SaaS) , Platform as a Service
(PaaS) and Infrastructure as a Service (IaaS).
Software as a Service (SaaS)

Software as a Service (SaaS): A cloud provides access to software applications

such as email or office productivity tools. SaaS is a distributed model where
software applications are hosted by a vendor or cloud service provider and
made available to customers over network resources. SaaS is a widely used and
adopted form of cloud computing, with users most often needing an internet
connection and access credentials to have full use of the cloud service,
application and data. SaaS has many benefits for organizations, which include
but are not limited to: Ease of use and limited/minimal administration.
Automatic updates and patch management. The user will always be running the
latest version and most up-to-date deployment of the software release, as well
as any relevant security updates, with no manual patching required.
Standardization and compatibility. All users will have the same version of the
software release.

Platform as a Service (PaaS)

Platform as a Service (PaaS): A cloud provides an environment for customers to

use to build and operate their own software. PaaS is a way for customers to
rent hardware, operating systems, storage and network capacity over the
internet from a cloud service provider. The service delivery model allows
customers to rent virtualized servers and associated services for running
existing applications or developing and testing new ones. The consumer does
not manage or control the underlying cloud infrastructure, including network,
servers, operating systems or storage, but has control over the deployed
applications and possibly application-hosting environment configurations. A
PaaS cloud provides a toolkit for conveniently developing, deploying and
administering application software that is structured to support large numbers
of consumers, process very large quantities of data and potentially be accessed
from any point on the internet. PaaS clouds will typically provide a set of
software building blocks and a set of development tools such as programming
languages and supporting run-time environments that facilitate the
construction of high-quality, scalable applications. Additionally, PaaS clouds will
typically provide tools that assist with the deployment of new applications. In
some cases, deploying a new software application in a PaaS cloud is not much
more difficult than uploading a file to a web server. PaaS clouds will also
generally provide and maintain the computing resources (e.g., processing,
storage and networking) that consumer applications need to operate. PaaS
clouds provide many benefits for developers, including that the operating
system can be changed and upgraded frequently, along with associated features
and system services.

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS): A cloud provides network access to traditional

computing resources such as processing power and storage. IaaS models provide
basic computing resources to consumers. This includes servers, storage, and in
some cases, networking resources. Consumers install operating systems and
applications and perform all required maintenance on the operating systems
and applications. Although the consumer has use of the related equipment, the
cloud service provider retains ownership and is ultimately responsible for
hosting, running and maintenance of the hardware. IaaS is also referred to as
hardware as a service by some customers and providers. IaaS has a number of
benefits for organizations, which include but are not limited to: Ability to scale
up and down infrastructure services based on actual usage. This is particularly
useful and beneficial where there are significant spikes and dips within the
usage curve for infrastructure. Retain system control at the operating system
level.

Managed Service Provider (MSP)

A managed service provider (MSP) is a company that manages information

technology assets for another company. Small- and medium-sized businesses
commonly outsource part or all of their information technology functions to an
MSP to manage day-to-day operations or to provide expertise in areas the
company does not have. Organizations may also use an MSP to provide network
and security monitoring and patching services. Today, many MSPs offer cloud-
based services augmenting SaaS solutions with active incident investigation and
response activities. One such example is a managed detection and response
(MDR) service, where a vendor monitors firewall and other security tools to
provide expertise in triaging events. Some other common MSP implementations
are:

 Augment in-house staff for projects.

 Utilize expertise for implementation of a product or service.
 Provide payroll services.
 Provide Help Desk service management.
 Monitor and respond to security incidents.
 Manage all in-house IT infrastructure.

Service-Level Agreement (SLA)

The cloud computing service-level agreement (cloud SLA) is an agreement

between a cloud service provider and a cloud service customer based on a
taxonomy of cloud computing– specific terms to set the quality of the cloud
services delivered. It characterizes quality of the cloud services delivered in
terms of a set of measurable properties specific to cloud computing (business
and technical) and a given set of cloud computing roles (cloud service customer,
cloud service provider, and related sub-roles).

Think of a rule book and legal contract—that combination is what you have in a
service-level agreement (SLA). Let us not underestimate or downplay the
importance of this document/ agreement. In it, the minimum level of service,
availability, security, controls, processes, communications, support and many
other crucial business elements are stated and agreed to by both parties.

The purpose of an SLA is to document specific parameters, minimum service

levels and remedies for any failure to meet the specified requirements. It
should also affirm data ownership and specify data return and destruction
details. Other important SLA points to consider include the following:

 Cloud system infrastructure details and security standards.

 Customer right to audit legal and regulatory compliance by the CSP.
 Rights and costs associated with continuing and discontinuing service
use.
 Service availability.
 Service performance.
  Data security and privacy.
 Disaster recovery processes.
 Data location.
 Data access.
 Data portability.
 Problem identification and resolution expectations.
 Change management processes.
 Dispute mediation processes.
 Exit strategy.

Network Design

The objective of network design is to satisfy data communication requirements

and result in efficient overall performance.

Network Segmentation

Network segmentation involves controlling traffic among networked devices.

Complete or physical network segmentation occurs when a network is isolated
from all outside communications, so transactions can only occur between
devices within the segmented network.

DMZ

A DMZ is a network area that is designed to be accessed by outside visitors but

is still isolated from the private network of the organization. The DMZ is often
the host of public web, email, file and other resource servers.

VLAN

VLANs are created by switches to logically segment a network without altering

its physical topology.

VPN

A virtual private network (VPN) is a communication tunnel that provides point-

to-point transmission of both authentication and data traffic over an untrusted
network.
Defense in Depth

Defense in depth uses multiple types of access controls in literal or theoretical

layers to help an organization avoid a monolithic security stance.

NAC

Network access control (NAC) is a concept of controlling access to an

environment through strict adherence to and implementation of security policy.

Defense in Depth

Defense in depth uses a layered approach when designing the security posture
of an organization. Think about a castle that holds the crown jewels. The jewels
will be placed in a vaulted chamber in a central location guarded by security
guards. The castle is built around the vault with additional layers of security—
soldiers, walls, a moat. The same approach is true when designing the logical
security of a facility or system. Using layers of security will deter many
attackers and encourage them to focus on other, easier targets.

Defense in depth provides more of a starting point for considering all types of
controls—administrative, technological, and physical—that empower insiders
and operators to work together to protect their organization and its systems.

Here are some examples that further explain the concept of defense in depth:

 Data: Controls that protect the actual data with technologies such as
encryption, data leak prevention, identity and access management and
data controls.
 Application: Controls that protect the application itself with
technologies such as data leak prevention, application firewalls and
database monitors.
 Host: Every control that is placed at the endpoint level, such as antivirus,
endpoint firewall, configuration and patch management.
 Internal network: Controls that are in place to protect uncontrolled data
flow and user access across the organizational network. Relevant
technologies include intrusion detection systems, intrusion prevention
systems, internal firewalls and network access controls.
  Perimeter: Controls that protect against unauthorized access to the
network. This level includes the use of technologies such as gateway
firewalls, honeypots, malware analysis and secure demilitarized zones
(DMZs).
 Physical: Controls that provide a physical barrier, such as locks, walls or
access control.
 Policies, procedures and awareness: Administrative controls that reduce
insider threats (intentional and unintentional) and identify risks as soon
as they appear.

Zero Trust

Zero trust networks are often microsegmented networks, with firewalls at

nearly every connecting point. Zero trust encapsulates information assets, the
services that apply to them and their security properties. This concept
recognizes that once inside a trust-but-verify environment, a user has perhaps
unlimited capabilities to roam around, identify assets and systems and
potentially find exploitable vulnerabilities. Placing a greater number of
firewalls or other security boundary control devices throughout the network
increases the number of opportunities to detect a troublemaker before harm is
done. Many enterprise architectures are pushing this to the extreme of
microsegmenting their internal networks, which enforces frequent re-
authentication of a user ID, as depicted in this image.

Consider a rock music concert. By traditional perimeter controls, such as

firewalls, you would show your ticket at the gate and have free access to the
venue, including backstage where the real rock stars are. In a zero-trust
environment, additional checkpoints are added. Your identity (ticket) is
validated to access the floor level seats, and again to access the backstage
area. Your credentials must be valid at all 3 levels to meet the stars of the show.

Zero trust is an evolving design approach which recognizes that even the most
robust access control systems have their weaknesses. It adds defenses at the
user, asset and data level, rather than relying on perimeter defense. In the
extreme, it insists that every process or action a user attempts to take must be
authenticated and authorized; the window of trust becomes vanishingly small.

While microsegmentation adds internal perimeters, zero trust places the focus
on the assets, or data, rather than the perimeter. Zero trust builds more
effective gates to protect the assets directly rather than building additional or
higher walls.
Network Access Control (NAC)

An organization’s network is perhaps one of its most critical assets. As such, it

is vital that we both know and control access to it, both from insiders (e.g.,
employees, contractors) and outsiders (e.g., customers, corporate partners,
vendors). We need to be able to see who and what is attempting to make a
network connection.

At one time, network access was limited to internal devices. Gradually, that
was extended to remote connections, although initially those were the
exceptions rather than the norm. This started to change with the concepts of
bring your own device (BYOD) and Internet of Things (IoT).

Considering just IoT for a moment, it is important to understand the range of

devices that might be found within an organization. They include heating,
ventilation and air conditioning (HVAC) systems that monitor the ambient
temperature and adjust the heating or cooling levels automatically or air
monitoring systems, through security systems, sensors and cameras, right down
to vending and coffee machines. Look around your own environment and you
will quickly see the scale of their use.

Having identified the need for a NAC solution, we need to identify what
capabilities a solution may provide. As we know, everything begins with a policy.
The organization’s access control policies and associated security policies
should be enforced via the NAC device(s). Remember, of course, that an access
control device only enforces a policy and doesn’t create one.

The NAC device will provide the network visibility needed for access security
and may later be used for incident response. Aside from identifying
connections, it should also be able to provide isolation for noncompliant devices
within a quarantined network and provide a mechanism to “fix” the
noncompliant elements, such as turning on endpoint protection. In short, the
goal is to ensure that all devices wishing to join the network do so only when
they comply with the requirements laid out in the organization policies. This
visibility will encompass internal users as well as any temporary users such as
guests or contractors, etc., and any devices they may bring with them into the
organization.

Let’s consider some possible use cases for NAC deployment:

 Medical devices.
 IoT devices.
 BYOD/mobile devices (laptops, tablets, smartphones).
 Guest users and contractors.

As we have established, it is critically important that all mobile devices,

regardless of their owner, go through an onboarding process, ideally each
time a network connection is made, and that the device is identified and
interrogated to ensure the organization’s policies are being met.

Network Segmentation (Demilitarized Zone (DMZ))

Network segmentation is also an effective way to achieve defense in depth for

distributed or multi-tiered applications. The use of a demilitarized zone (DMZ),
for example, is a common practice in security architecture. With a DMZ, host
systems that are accessible through the firewall are physically separated from
the internal network by means of secured switches or by using an additional
firewall to control traffic between the web server and the internal network.
Application DMZs (or semi-trusted networks) are frequently used today to limit
access to application servers to those networks or systems that have a
legitimate need to connect.

Segmentation for Embedded Systems and IoT

An embedded system is a computer implemented as part of a larger system.

The embedded system is typically designed around a limited set of specific
functions in relation to the larger product of which it is a component. Examples
of embedded systems include network-attached printers, smart TVs, HVAC
controls, smart appliances, smart thermostats and medical devices.

Network-enabled devices are any type of portable or nonportable device that

has native network capabilities. This generally assumes the network in question
is a wireless type of network, typically provided by a mobile
telecommunications company. Network-enabled devices include smartphones,
mobile phones, tablets, smart TVs or streaming media players (such as a Roku
Player, Amazon Fire TV, or Google Android TV/Chromecast), network-attached
printers, game systems, and much more.

The Internet of Things (IoT) is the collection of devices that can communicate
over the internet with one another or with a control console in order to affect
and monitor the real world. IoT devices might be labeled as smart devices or
smart-home equipment. Many of the ideas of industrial environmental control
found in office buildings are finding their way into more consumer-available
solutions for small offices or personal homes.
Embedded systems and network-enabled devices that communicate with the
internet are considered IoT devices and need special attention to ensure that
communication is not used in a malicious manner. Because an embedded system
is often in control of a mechanism in the physical world, a security breach could
cause harm to people and property. Since many of these devices have multiple
access routes, such as ethernet, wireless, Bluetooth, etc., special care should
be taken to isolate them from other devices on the network. You can impose
logical network segmentation with switches using VLANs, or through other
traffic-control means, including MAC addresses, IP addresses, physical ports,
protocols, or application filtering, routing, and access control management.
Network segmentation can be used to isolate IoT environments.
Microsegmentation

The toolsets of current adversaries are polymorphic in nature and allow threats
to bypass static security controls. Modern cyberattacks take advantage of
traditional security models to move easily between systems within a data
center. Microsegmentation aids in protecting against these threats. A
fundamental design requirement of microsegmentation is to understand the
protection requirements for traffic within a data center and traffic to and from
the internet traffic flows.

When organizations avoid infrastructure-centric design paradigms, they are

more likely to become more efficient at service delivery in the data center and
become apt at detecting and preventing advanced persistent threats.

Virtual Local Area Network (VLAN)

Virtual local area networks (VLANs) allow network administrators to use

switches to create software-based LAN segments, which can segregate or
consolidate traffic across multiple switch ports. Devices that share a VLAN
communicate through switches as if they were on the same Layer 2 network.
This image shows different VLANs — red, green and blue — connecting separate
sets of ports together, while sharing the same network segment (consisting of
the two switches and their connection). Since VLANs act as discrete networks,
communications between VLANs must be enabled. Broadcast traffic is limited
to the VLAN, reducing congestion and reducing the effectiveness of some
attacks. Administration of the environment is simplified, as the VLANs can be
reconfigured when individuals change their physical location or need access to
different services. VLANs can be configured based on switch port, IP subnet,
MAC address and protocols.

VLANs do not guarantee a network’s security. At first glance, it may seem that
traffic cannot be intercepted because communication within a VLAN is
restricted to member devices. However, there are attacks that allow a
malicious user to see traffic from other VLANs (so-called VLAN hopping). The
VLAN technology is only one tool that can improve the overall security of the
network environment.
 Virtual Private Network (VPN)

A virtual private network (VPN) is not necessarily an encrypted tunnel. It is

simply a point-to-point connection between two hosts that allows them to
communicate. Secure communications can, of course, be provided by the VPN,
but only if the security protocols have been selected and correctly configured
to provide a trusted path over an untrusted network, such as the internet.
Remote users employ VPNs to access their organization’s network, and
depending on the VPN’s implementation, they may have most of the same
resources available to them as if they were physically at the office. As an
alternative to expensive dedicated point-to-point connections, organizations
use gateway-to-gateway VPNs to securely transmit information over the
internet between sites or even with business partners.

QUIZ FIM DE SESSÃO

1 1
Common network device used to connect networks. (D4.1
L4.1.1)
Question options:

A) Server

B) Endpoint

C) Router

D) Switch

Hide question 1 feedback

Correct. Routers are used to connect networks.

2 1
A common network device used to filter traffic. (D4.1 L4.1.1)
Question options:
 A) Server

B) Endpoint

C) Ethernet

D) Firewall

Hide question 2 feedback

Correct. This is the purpose of a firewall.

3 1
endpoint <------> Web server

Which port number is associated with the protocol typically

used in this connection? (D 4.1 L4.1.2)
Question options:

A) 21

B) 53

C) 80

D) 161

Hide question 3 feedback

Correct. This is the port for the HTTP protocol, commonly used for Web traffic.

4 1
An attack against the availability of a network/system; typically
uses many attacking machines to direct traffic against a given
target. (D4.2 L4.2.1)
Question options:

A) Worm
 B) Virus

C) Stealth

D) Distributed-denial-of-service (DDOS)

Hide question 4 feedback

Correct. This is the description of a DDOS attack.

5 1
A security solution installed on an endpoint in order to detect
potentially anomalous activity. (D4.2 L4.2.2)
Question options:

A) Router

B) Host-based intrusion prevention system

C) Switch

D) Security incident and event management system (SIEM)

Hide question 5 feedback

Correct. A HIPS is installed on an endpoint to detect potentially harmful activity.

6 1
A security solution that detects, identifies and often quarantines
potentially hostile software. (D4.2, L4.2.2)
Question options:

A) Firewall

B) Guard

C) Camera
 D) Anti-malware

Hide question 6 feedback

Correct. This is the definition of an anti-malware solution.

7 1
The common term used to describe the mechanisms that control
the temperature and humidity in a data center. (D4.3 L4.3.1)
Question options:

A) VLAN (virtual local area network)

B) HVAC (heating, ventilation and air conditioning)

C) STAT (system temperature and timing)

D) TAWC (temperature and water control)

Hide question 7 feedback

Correct. This is a common term in the industry.

8 1
A cloud arrangement whereby the provider owns and manages
the hardware, operating system, and applications in the cloud,
and the customer owns the data. (D4.3 L4.3.2)
Question options:

A) Infrastructure as a service (IaaS)

B) Morphing as a service (MaaS)

C) Platform as a service (PaaS)

D) Software as a service (SaaS)

Hide question 8 feedback

 Correct. This is a description of SaaS.

9 1
A portion of the organization's network that interfaces directly
with the outside world; typically, this exposed area has more
security controls and restrictions than the rest of the internal IT
environment. (D4.3 L4.3.3)
Question options:

A) National Institute of Standards and Technology (NIST)

B) Demilitarized zone (DMZ)

C) Virtual private network (VPN)

D) Virtual local area network (VLAN)

Hide question 9 feedback

Correct. DMZ is the term we typically use to describe an outward-facing portion of the IT environment ow

10 1
Which of the following tools can be used to grant remote users
access to the internal IT environment? (D 4.3 L4.3.3)
Question options:

A) VLAN (virtual local area network)

B) VPN (virtual private network)

C) DDOS (distributed denial-of-service)

D) MAC (media access control)